Thanks that clarified a lot of things. 
I experimented some more and as I understand it,
Yii doesn’t support assigning roles based on context. 
However as I understood I can achieve the same by means of bizrules,
by assigning all roles to all users (as default roles in the config).
So each role has a bizrule that verifies if the role is valid for the user.
Not exactly beautiful but I can live with it. 
Or did I miss something??? 
Also to verify an action on a controller I can now add the role in the accessRules and supply the parameters as needed to verify that the user has that role. 
But I still have to add a list of actions which are valid for the user … 
This seems like double bookkeeping to me as I already defined which operations a role should grant access to.
And apparently those “operations” are only good for doing checks via user->checkAccess(). 
Or is there some other way??
To me it would make more sense if I could make a mapping of actions eg:
public function accessRules()
{
return array(
array('allow',
'rbacactions' => array(
'view' => array( 'viewDocument' => array('document') ),
'edit' => array( 'editDocument' => array('document') )
)
);
}
public function getContextParam($param)
{
if($param == "document")
return Document::model()->findByPk(0 /* some context param*/ );
return NULL;
}
If the action is ‘view’ the access control should do the following:
Yii::App()->user->checkAccess(‘viewDocument’, array(‘document’ => this->getContextParam(‘document’));
-
This way parameters should only be look up if needed (eg. first matching operation,role) stops any subsequent requests.
-
Parameters can be cached and reused for subsequent accessRule blocks/calls.
-
Actions could reuse cached models if the controller had a method that made them available.
Is there any way to do something like this?
If not, I might go ahead and implement this scheme myself…
