Suppose I have the following (example) RBAC tasks, which can be added to a user role:
$auth->createOperation('pageView');
$task = $auth ->createTask('pageView_secret', '', 'isset($params["page"] && $params["page"] -> isSecret();');
$task -> addChild('pageView');
$task = $auth ->createTask('pageView_topsecret', '', 'isset($params["page"] && $params["page"] -> isTopSecret()<img src='http://www.yiiframework.com/forum/public/style_emoticons/default/wink.gif' class='bbc_emoticon' alt=';)' />;
$task -> addChild('pageView');
This allows me to use:
Yii::app()->user->checkAccess('pageView', array('page' => $model)
Fairly straightforward. Now suppose instead of evaluating whether an already loaded model can be viewed, I wish to use this permission to define a scope on a findAll() call, so that only pages viewable by the user are queried - To use it before the fact, rather than after the fact, so-to-speak. For example:
if(!Yii::app()->user->checkAccess('pageView_topsecret')) {
// set scope to exclude topsecret pages
} else {
// something else
}
As the initial task expects $params["page"], i cannot use it as it is to accomplish this. Therefore, how should this be approached? Is it considered acceptable to use optional parameters, such as:
$task = $auth ->createTask('pageView_topsecret', '', 'return isset($params["page"]) ? $params["page"] -> isTopSecret() : true');
Or am I just going about this wrong, given that my bizrule pertains to an attribute in the Page and is irrespective of the user identity - is my bizrule inappropriately placed within RBAC? Perhaps something along the lines of calling a method such as $model -> checkViewAccess(‘private’), which then validates the user element and the page visibility separately and returns true/false, is preferrable?
Any advice welcome!