I’ve been following the tutorial (among others) http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control trying to implement RBAC with bizRules.
The first rule I’m trying to define is to allow a user to be able to update their own account but not others. I’m doing this in User::actionUpdate() Like so:
$model=$this->loadModel($id);
$params=array('User'=>$model);
if(Yii::app()->user->checkAccess('updateOwnUser', $params))
The tasks, operations and roles are defined as so and are present in the database as expected:
$bizRule='return Yii::app()->user->id==$params["User"]->id';
$task=$this->_authManager->createTask('updateOwnUser','Update your own account.', $bizRule);
$role=$this->_authManager->createRole('reader');
$role->addChild('updateOwnUser');
$this->_authManager->assign('manager', 1); // manager inherits reader
The user (in this case user->id ==1) has been assigned to a role that inherits ‘reader’ and should therefore be able to update their own account. However the checkAccess() method always returns false. If I add this code before checkAccess():
die( Yii::app()->user->id .' == '. $params["User"]->id );
I will see:
1 == 1
which is what I expect.
I feel that I’m like I’m overlooking something as it all seems straight forward but not working.
Can anyone tell me what I’ve done wrong?