i just started implementing the yii RBAC. i started by reading the tutorials and creating the 3 tables (AuthAssignment, AuthItem, AuthItemChild). Self i created a table Users and made a couple of small changes in the UserIdentity.php file to match my db fieldnames.
When i login with a user (arjan) who is not allowed to edit an user the text ok will not show up in the page. so it’s working.
if(Yii::app()->user->checkAccess('actionEdit'))
{
echo 'ok';
}
But i thought there is a better way to block acces to the actionEdit for user arjan, so i tried:
return array(
array('allow',
'actions' => array('edit', 'add', 'active'),
'users' => array('bas'),
),
array('allow',
'actions' => array('list'),
'users' => array('bas', 'arjan'),
)
);
but the user arjan is still able to access the actionEdit of the controller
below you will find the rules i added into the database
$auth=Yii::app()->authManager;
$auth->createOperation('actionList','read a user');
$auth->createOperation('actionAdd','create a user');
$auth->createOperation('actionEdit','update a user');
$role=$auth->createRole('reader');
$role->addChild('actionList');
$role=$auth->createRole('admin');
$role->addChild('reader');
$role->addChild('actionAdd');
$role->addChild('actionEdit');
$auth->assign('reader','2');
$auth->assign('admin','1');