[Nathan]

This page (http://www.yiiframew...-access-control) explains that the role-based access control settings can be either stored in a PHP file or in the database.

With respect of storing which user has which roles, I find the database storage to be more logical. It may envolve a lot of data, one or more row per user, so database seems better. This data changes all the time with the life of the site.
However with respect of storing hierarchy, authorization items, I find it makes more sense to store them in a file. The reason being that I can easily ship my PHP project with built-in hierarchy without having to export SQL data. Defining the auth items is part of the creation of the site, therefore I don't think it should live in the database.

Does it make sense? Is there a way to cleanly combine both?

On a smilar note, the example of a "BizRule" is very simple in the documentation. What if I had more complex business rules? Can I have a function/method somewhere that the business rule will call?

Third question: Let's say I want to have a "moderator" role. However I have moderators for "categories". So Moderator A can moderatore category A while moderator B can moderate category B. Can the basic hierarchy work with this?

[Mike]

What a coincidence - it's just yesterday that i wrote exactly the class you just describe: It extends from CPhpAuthManager but takes some parts from CDbAuthManager to get the assignments from DB. So yes: I think it does make sense.

I did this for a client, but maybe he agrees, that i release this class as extension, if you're interested.

[Nathan]

 Mike, on 11 July 2012 - 08:33 AM, said:

What a coincidence - it's just yesterday that i wrote exactly the class you just describe: It extends from CPhpAuthManager but takes some parts from CDbAuthManager to get the assignments from DB. So yes: I think it does make sense.

I did this for a client, but maybe he agrees, that i release this class as extension, if you're interested.

Sounds good to me, if you can release it let me know.
Also I use "yii-rights" to manage. Not sure if it would be compatible.

[Mike]

It will not be compatible. yii-rights enforces you to use a couple of base classes and configure the auth manager component which comes with the extension. One of the reasons why i don't really like it very much.

[Nathan]

Ok, let me know anyways if you manage to publish it, maybe Yii-Rights can pick up the idea.

What about the other 2 questions in the thread?

[Mike]

I'll publish it as an extension over the next days.

 Nathan, on 10 July 2012 - 08:07 AM, said:

On a smilar note, the example of a "BizRule" is very simple in the documentation. What if I had more complex business rules? Can I have a function/method somewhere that the business rule will call?

Totally up to you: Use a global function, collect your functions as static methods in a custom class, ...

 Nathan, on 10 July 2012 - 08:07 AM, said:

Third question: Let's say I want to have a "moderator" role. However I have moderators for "categories". So Moderator A can moderatore category A while moderator B can moderate category B. Can the basic hierarchy work with this?

You could use business rules + another table for this. In that table you connect moderators to categories e.g. with columns moderator_id and category_id. Then you create a role Moderator with a business rule. The business rule checks, if a record exists for a given moderator and category. In your call to checkAccess() you supply the current moderator and category ids as parameters to the business rule.

[Raoul]

Hi Mike,
my reply to the Nathan's "moderator scenario" is the same as yours : I have added a new table to connect users to categories (let's call it user_mod_cat). With a bizRule associated with the Moderator Role, it works fine, however, I have a doubt about it ...

why use a role ?

... I mean, isn't a record in the user_mod_cat table enough to state that a user can moderate the category he is linked to ? why assign a role to the user then ? what are the benefits ?
On the project I'm working on, I have plenty of equivalent scenario, where a role is granted to a user on a particular instance(es) of models : user can manage Group(id), user can update Posts(id) etc.. should I create a link table in each case ?

revoking

If for a given user and for a given category I want to revoke moderator role I have to:

• delete the corresponding record in the user_mod_cat table
• check that at least one record exist for this user in the user_mod_cat table and if it's not the case, actually revoke the role for this user

I guess that's correct isn't it ? But then again, why no forget about roles and just handle the user_mod_cat table ?



Maybe the solution is to create one role per category and then assign it to a user ? Assigning moderate_category_A
Or maybe it would be more logical to create a moderate_category_A task, and then add this task to the moderator Role ?


Well as you can see, I'm far for mastering RBAC principles and hopefully you'll be able to show me the good way to use it...

Thanks in advance

[Raoul]

my question above isn't only to Mike ... so anyone with response is very welcome

[Ben]

I think it should be possible to use CAuthAssignment::$data and CAuthAssignment::$bizRule for this:

  $taskModerateGroup = $authManager->createTask( 'moderateGroup' );

  // Inside the bizRule, the following variables are available:
  //
  // $params, array, parameters passed to IAuthManager::checkAccess
  // $data  , mixed, additional data associated with the authorization
  //                 item or assignment.
  $bizRule = '
    return in_array( $params["groupId"], $data["groupIds"] );
  ';

  // user 1 is allowed to moderate groups 1, 2, 5 and 7
  $authManager->assign( 'moderateGroup', $user_1->id, $bizRule, array(
    'groupIds' => array( 1, 2, 5, 7 ),
  ));

  // user 2 is allowed to moderate groups 3, 4 and 6
  $authManager->assign( 'moderateGroup', $user_2->id, $bizRule, array(
    'groupIds' => array( 3, 4, 6 ),
  ));

  $authManager->checkAccess( 'moderateGroup', $currentUser->id, array(
    'groupId' => $currentGroup->id,
  ));

This way, you don't need another table, because the relevant information is stored in the authAssignment itself. You also don't need a separate AuthItem for every group.

However, you will need a good interface to support the assign-operations.

And I'm currently not sure how it can be handled with roles, that's why I directly assigned the task to the users...

[Raoul]

Thanks for your reply Ben.

I understand what you mean, and you're right, I would need some nice GUI stuff to manage assignements .... but it can be done.
On the contrary what seems very difficult to do is to retrieve a list of all users who are moderators for a specific group... don't you think ?

... I definitly need to study the subject because until now (and for this particular use case), RBAC seems to be a problem ... not a solution. The 'updateOwnPost' bizrule in the doc is not enough to understand how to handle this case.

[Ben]

I guess querying who has some authItem assigned is always a problem. At least through the interface Yii's authManagers provide. I wonder if (and how) available RBAC extensions solve this problem...

[Mike]

Raoul,

i think you raised a valid question

There may be situations where another link table is not feasable and where you can map everything into RBAC rules instead. But i prefer to not have cluttered my RBAC with 100s or 1000s of tasks/roles.

And there's one advantage of using roles: You can just revoke the role from the user to disable access for him, without loosing all the connections (in case you want to re-enable it later). BTW this is enough to disable user access: I don't think you need the 2 steps you described above. If either one of the conditions is met (no role assigned, or no entries in link table) then no access is granted.

[Nathan]

Could someone clarify where would I write the code for a complex "BizRule" (like, in some Model? Controler?) and how would I call this code from the YiiRights?