Rbam

okay, i’m kind of new with all this yii (i almost finished the book “agile web…”, but i skipped some parts of it).

At the moment i’m developing my first website with yii and i want some roles. So i decided to download the extension “rbam” since the book advised me to download an extension instead of creating a rbac system my self.

i’ve now downloaded and implemented the system, and for the most part i understand it. there are however two things i don’t understand.

  1. i don’t understand how this rbam works without making any input in my database. I mean, how does it save the information that says the user with the id of 37 will be appointed editor instead of authenticated user, without putting this in a database?

  2. i know the thing with roles, but i don’t understand the concept of tasks and operations. i can see that it follows the parent/child concept, but how does my web application know that a certain operation belongs to a feature in my application?

  • Deram

A guess for the second question is that the operation name is the same as controllerID:actionID

please correct me if i’m wrong

To the best of my knowledge you are wrong and indeed the saving of the permissions table is done against the DB, unless serious extending/modification has been done on your behalf on the RBAM extension, which is something I tend to assume even less :)

How did you come to the conclusion that no DB activity is going on?

Maybe the RBAM created the (3) needed tables for you.

Shed some light here with extra information so we could further assist.

That’s a tricky one, I must admit, and it took me some research to come to conclusions back when I dived into RBAC/Yii.

I’ve sum’ed it up in a forum post where my questions were raised. See it all right here.

thanks for your reply.

As i said in the previous comment, my guess is that the operations follow the controllerID:actionID syntax and that yii therefore know what action the operation refer to. what i don’t understand now, is how do i define that a user can use fx the update operation for a post, but only if he’s the author?

the reason i thought the RBAM didn’t do anything to the database is because i don’t see any changes to my database. there’s still the same 5 tables, and they haven’t changed a bit. unless RBAM is hiding these new tables it would create, then i can’t any other option than it doesn’t use the database.

(not sure what the ‘fx’ word up there means. ignoring it in my comment below)

Yii will resolve the request to controller/action, indeed. This is one of the most fundamental task for Yii. The resulted controllerid/actionid is called a route.

Regarding enabling user to update only his own posts, that can be achieved with a ‘business rule’ (aka bizrule). An “authorization item” (Yii’s RBAC terminology) not only granted access, but it can do so conditionally. The condition is a little piece of PHP code snippet that is called a bizrule. This code can easily access or deny access to update of a post based on whether the user is the author of the post or not. See the last link here for example and complete documentation.

Maybe you’re right and RBAM wont do anything is nothing is really requested of him and no access control (CWebUser.checkAccess() calles) is asked from Yii in general.

IIRC, RBAM can also initialize the DB for you. RBAM has very nice PDF manual with all the details for you (and its not that long at all).

thanks again for your answer.

first of all, in my country we use fx as shortening of “for example” :)

but back to rbam: i’m beginning to understand that i do not understand the concept of rbac that well. I understand the thing about roles, tasks and operations, but i don’t understand how to create bizrules (and i don’t find that much documentation on how to do that). do you have any examples of bizrules that can be used in rbam? Or even better; a screenshot of the operation authorization items inside of rbam

also, i’m beginning to doubt that i installed rbam the right way so i’m going to take you through the installation i did:

  1. downloadet rbam and inserted it into modules.

  2. i wrote this into my main config file:


'modules'=>array(

		

		'rbam'=>array(

			//RBAM config

			'applicationLayout'=>'application.views.layouts.main', 

			'authAssignmentsManagerRole'=>'Auth Assignments Manager', 

			'authenticatedRole'=>'Authenticated', 

			'authItemsManagerRole'=>'Auth Items Manager', 

			'baseScriptUrl'=>null,

			'baseUrl'=>null,

			'cssFile'=>null,

			'development'=>true,

			'exclude'=>'rbam',

			'guestRole'=>'Guest',

			'initialise'=>true,

			'layout'=>'rbam.views.layouts.main', 

			'juiCssFile'=>'jquery-ui.css',

			'juiHide'=>'puff',

			'juiScriptFile'=>'jquery-ui.min.js', 

			'juiScriptUrl'=>null,

			'juiShow'=>'fade',

			'juiTheme'=>'base',

			'juiThemeUrl'=>null,

			'pageSize'=>10,

			'rbacManagerRole'=>'RBAC Manager', 

			'relationshipsPageSize'=>5,

			'showConfirmation'=>3000,

			'showMenu'=>true,

			'userClass'=>'User',

			'userCriteria'=>array(),

			'userIdAttribute'=>'id',

			'userNameAttribute'=>'username',

		),

		

	),

  1. i inserted the sql file from framework/web/auth into my database

  2. i wrote into my main config file:


	'components'=>array(

		

		'authManager'=>array(

            'class'=>'CDbAuthManager',

            'connectionID'=>'db',

        ),

)		



  1. i went to the rbam part of my site and initialized it

Will all the data rbam handles be put into the database now? if i press yes to if rbam should “generate Authorisation Data based on your application’s modules, controllers and actions”, it doesn’t do anything. is this normal?

and please tell me if i need to do anything else before i start creating roles/tasks/operations.

(btw, i find it kind of amazing that i find the name Boaz on almost every forum post on any site that involves rbam…)

Its been a while since the last time, and almost the first time, I used RBAM. IIRC, using that "initialize=true" flag will cause the data in the RBAC table to be erased and I guess it will explode if it cannot see the 3 tables it needs and it cannot create them.

So I’m not entirely sure what happens in your system. Are you sure that no tables are created in the names of AuthItem, AuthItemChild, AuthAssignment ? (those are the default names). Verify that you’re checking against the right DB… .

Wanna see some action?

Below is screenshot of a task with a bizrule (some var names have been altered). Hover over the upper right corner of the bizrule box in your site to see a useful short help text.

2992

rbam_bizrule.png

Know that each time you call "checkAccess()" you can pass parameters to this short bizrule snippet (which is then available in the bizrule context inside $params array).

Regarding creating authorization items for all your controllers - don’t do that unless you know what you’re doing. I personally preferred not to do so but rather create authorization tree (and the matching auth items) based on their own terms and logic.

Regarding the name Boaz on many forums, well, I guess some of them are me and in that case - “just doing my service”… :)

as i wrote in the last post, i inserted the sql file that i found in the framework folder. that gave me the 3 tables you are talking about. funny thing is that all the sudden they started working, so now rbam is inserting data in my database (finally some progress :D )

but i can’t get the system to work. if i make an operation called post:index and then a task called post (that is parent of post:index) and made the task a child of guest that i made a child of authenticated. if i then in postController.php allowed guests to perform the action of index, then i should be able to perform this action when logged in as an authenticated user, right? but no, it says that i am not authorized to perform this action.

i even tried to write "return true;" as a bizrule for both the task and operation

(btw, can you upload a screenshot of an operation too? that would be awesome because i then would have some kind of example for both tasks and operations :) )

I don’t have a useful ‘operation’ screenshot for you as I don’t use operations. For “why” on this see a link I gave previously in this thread to an older forum post by me explaining the meanings of each term. I don’t use ‘operations’ as I find them to be too fine grained, over engineering if you’d like.

But, operation bizrule is the same thing as any other auth-item with a bizrule. The bizrule is checked to approve or negate access to this auth item.

As for your issues with the operation, task, guest and authenticated roles - beware - it might be a manifestation of a known bug. In short - the default, recommended (at the end of this page) bizrules for authenticated and guest can create this bug. See more in this long report (if you dare :) ). The change in the official documentation that should result from the fix to the bug report is not yet published - it will be in the next release of Yii. In the meantime, IIRC, its recommended to either simply remove access control calls on methods that are allowed to guest and above, which means to all users. Or, you can remove the bizrule for guest (I think that shall do it as well).

thanks for your help.

i got it all working now :)

cool

hey, this thread helped me a lot setting up rbam.

i do have some questions though:

after i sat up rbam, i was still able to perform all of the actions i was allowed to before. in other words: rbam didn’t stop a user who was performing an operation that wasn’t defined in rbam. is this normal?

this leads to another question: what should i do about the public function accessRules() that is in every controller? should i leave it, or should i deny all users to perform all actions because rbam should define who to allow or what?

Hi fonis,

I’ve got a short and long answers for you:

The short answer is that you should read the documentation… :) . Start here, and don’t stop until you reach the end of the page and you understand what you read, even if not fully assimilated the material (experience will do that).

The longer answer:[indent]

  1. In every controller’s action where you want to limit access, you should call checkAccess() in the beginning of the method. That will check the permissions. For example:[/indent]



if (!Yii::app()->user->checkAccess("submit article")) {

	// not allowed

    throw new CHttpException(401);

}

[indent]

  1. accessRules() can be purged altogether. Its the simple access control methodology deployed by default by ‘yiic webapp’ command. You can safely delete it. You can read more about it in the same page I linked in the first link above.[/indent]

oh my god, i should have figured that out my self. thanks :D

hey again.

for some reason rbam isn’t automatically applying the authenticated role to users. I have to manually go in and give someone the role. do you know how to fix that?

i really have no idea how to fix this, since the standard bizRule ( return !Yii::app()->getUser()->getIsGuest(); ) should cover that?

If the auth item you’re checking is assigned to Guest and Authenticated role inherits Guest auth items, then you might have hit the bug described in the last paragraph here, and that is reported in length here.

no i don’t think it’s that, since i’m not having guest as a child of authenticated, and the task that i’m testing this on is a child of authenticated.

if i create a bizrule for authenticated that said return true; would every person who entered the site then be assigned to this role? because that’s basically whats my bizrule return !Yii::app()->getUser()->getIsGuest(); says if your logged in…

If Authenticated is a ‘default role’ (see documentation…) in your setup, and its usually so but you need to verify this, then the quick answer is yes - tasks/operations that are direct child of ‘authenticated’ no bizule of their own, would be allowed (as well as direct check on ‘authenticated’ auth item).

i’ve now discovered that the true problem i’m facing with rbam is that the roles guest and authenticated isn’t automatically assigned to default roles as the documentation for rbam said it should.

even if i manually assign the roles as default roles (‘defaultRoles’=>array(‘authenticated’, ‘guest’)) in the main config people is still not assigned to the roles automatically. i therefore have to manually assign a user to authenticated.

BTW this has nothing to do with the fact that i assigned users to a role that users should be assigned to from default, cause i’ve also tried to remove all the users assigned to authenticated.

So, do you have a clue of what i have to do?

Do you have bizrule on the authenticated and guest roles? If so, please quote them here… .