RBAC

i just started implementing the yii RBAC. i started by reading the tutorials and creating the 3 tables (AuthAssignment, AuthItem, AuthItemChild). Self i created a table Users and made a couple of small changes in the UserIdentity.php file to match my db fieldnames.

When i login with a user (arjan) who is not allowed to edit an user the text ok will not show up in the page. so it’s working.


if(Yii::app()->user->checkAccess('actionEdit'))

{

    echo 'ok';

}

But i thought there is a better way to block acces to the actionEdit for user arjan, so i tried:


		return array(

			array('allow',

				'actions' => array('edit', 'add', 'active'),

				'users' => array('bas'),

			),

			array('allow',

				'actions' => array('list'),

				'users' => array('bas', 'arjan'),

			)

		);

but the user arjan is still able to access the actionEdit of the controller

below you will find the rules i added into the database




$auth=Yii::app()->authManager;


$auth->createOperation('actionList','read a user');

$auth->createOperation('actionAdd','create a user');

$auth->createOperation('actionEdit','update a user');


$role=$auth->createRole('reader');

$role->addChild('actionList');


$role=$auth->createRole('admin');

$role->addChild('reader');

$role->addChild('actionAdd');

$role->addChild('actionEdit');


$auth->assign('reader','2');

$auth->assign('admin','1');



almost there, i changed:


	public function accessRules()

	{

		return array(

			array('allow',

				'actions' => array('edit', 'add', 'active'),

				'roles' => array('admin'),

			),

			array('allow',

                'actions' => array('lst'),

				'roles' => array('admin', 'reader'),

			)

		);

	}

and the rules:


$auth=Yii::app()->authManager;


$auth->createOperation('readUser','read a user');

$auth->createOperation('createUser','create a user');

$auth->createOperation('updateUser','update a user');


$role=$auth->createRole('reader');

$role->addChild('readUser');


$role=$auth->createRole('admin');

$role->addChild('reader');

$role->addChild('createUser');

$role->addChild('updateUser');


$auth->assign('reader','2');

$auth->assign('admin','1');

but what is the best way to allow and deny users? just deny everything for every user and then put some allow’s into the accessRules

hello bas_vdl!

You need to deny the access explicitly, “if it’s not denied, then it’s allowed”, so you need to add the following rule at the end of the accessRules method:


array('deny','users'=>array('*'),

this way you are telling yii to deny the access to all the user to the actions they aren’t allowed to access.

Greetings!