Hi,
While debugging some strange behavior in the system I’m developing I’ve noticed what seems to be a possible bug in Yii’s CDbAuthManager->checkAccessRecursive(). I’m not sure of it since I haven’t took the time to read ALL involving methods. Below is my permissions diagram and the description of the issue
Authenticated (do D, do E) [bizrule=return !Yii::app()->getUser()->getIsGuest();]
^
|
Guest (do A, do B, do C) [bizrule=return Yii::app()->getUser()->getIsGuest();
- As you can see, Guest role can do A,B,C and it has a nice bizrule that if combined with authManager::defaultRoles (array), requires no assigning of the role to anyone.
- Similarly, Authenticated role can do other bunch of stuff, in addition to inheriting all the stuff that Guest can (natural thus far, isn’t it?). Authenticated role has a bizrule to which is even more effective that Guest role is - every user that is not “isGuest” is considered Authenticated, and no assignment of this role to users on the system is thus achieved.
Problem:
I wasn’t able to “do A” as an authenticated user. According to my debugging what happened is as follows: since “do A” is not assigned to “Authenticated user”, the parents of “do A” are loaded. They are “Guest” (lets assume there’s only one). Another iteration of checkAccessRecursive() is called with a check on the parent (Guest). Now, since the bizrule for Guest will fail in line 95 of CDbAuthManager.php file, the method will return false on line 116 (latest Yii, v1.1.10 IIRC 
).
I hope the above is correct and if so, there’s some problem here:
- Either my usage is incorrect and no two role with bizrules should be related by such inheritance (hmm. I hope this is right…). If so, this should be noted in the documentation.
- Or, possibly checkAccessRecursive() implementation should change to allow such a permission scheme.
What do you think?
Any help will be appreciated!