I have a role AssetDistributor which, according to my Rights GUI interface should have read access to user (readUser operation) but when I visit the user/index
action page I get authorization error (access denied):
My Rights (main.php) config under ‘modules’:
Prior to installing Rights, I had previously installed the tables necessary for rbac (using the Agile Development book)
AuthAssignment
AuthItem
AuthItemChild
And populated these with the appropriate data (I have four different roles and a bunch of operations for each).
Then I installed Rights as per the installation doc yii-rights-doc-1.2.0 (pdf)
I’ve also done:
- made protected/components/Controller class extend from RController instead of CController
When I go to /index.php?r=rights I can see the Permissions, Assignments, etc (it all seems to work OK)
Under ‘Assignments’, I only have Roles assigned to users (however this should be sufficient I would have thought?)
However, the Rights table created in mysql is empty, not sure if this should be? (I’m guessing not, as an empty table is kinda useless lol)
Below is part of my UserController class.
What I am curious about is where the actual permission checking is done with Rights?
(ie where is the action -> permission lookup done?)
For rbac, it is in the accessControl filter below…
public function filters() {
// return array(
// 'accessControl', // perform access control for CRUD operations
// 'postOnly + delete', // we only allow deletion via POST request
// );
return array(
'rights'
);
}
/**
* Specifies the access control rules.
* This method is used by the 'accessControl' filter.
* @return array access control rules
*/
public function accessRules() {
Yii::log("accessRules()");
return array(
array('allow',
'actions' => array('admin', 'index', 'create', 'view', 'update', 'delete'),
'roles' => array('chadmin'),
),
array('allow',
'actions' => array('index', 'view'),
'roles' => array('assetmgr'),
),
array('deny', // deny all users
'users' => array('*'),
),
);
}