rbac and rule

nguyendh · October 8, 2015, 10:30pm

I’ve worked with Yii2 RBAC quite alot and understand most of it. But still have some questions about permission to permission relation and permission-rule

6743

First question is about permission. Please see the screenshot above

Assume we are talking about user John

if ‘updateOwnPost’ is the parent of ‘updatePost’, and ‘updateOwnPost’ belong to ‘Author’ role,

now when we ask




if (\Yii::$app->user->can('updatePost')) {

    // create post

}

should it return true because ‘updatePost’ is a child of ‘updateOwnPost’ which belongs to ‘author’ role ?

Why do I need to create a new permission ‘updateOwnPost’ and add ‘AuthorRule’ to it ? Can I just add ‘AuthorRule’ to ‘updatePost’ ?

Bizley · October 9, 2015, 8:26am

This requires some tests because I’m only 95% sure but:

Yes if he wants to update his own post.
You can just add it but:

it will check for author every time which takes more time
with two connected permissions you can use updatePost for both roles without worrying if user is author of the post

softark · October 9, 2015, 1:46pm

It depends on which value the “AuthorRule” returns when the parameter ‘post’ is empty.

So, if the rule is defined in the same way as in the example of the guide, it returns false.

Note that “can(‘updatePost’)” is called with a parameter ‘post’ in the example of the guide:




if (\Yii::$app->user->can('updatePost', ['post' => $post])) {

    // update post

}

The ‘post’ parameter is ignored in ‘updatePost’, but will be passed to ‘updateOwnPost’ to be checked by “AuthorRule”.

In order to allow John to update a post, you have to have a way from “updatePost” to “John” following the arrows. “updatePost” has a way to “admin”, but there’s no way from “admin” to “John”. So we have to follow the route of “updatePost” -> "updateOwnPost -> “author” -> “John”. And in the “updateOwnPost”, the rule is checked to see if the post is his own. If the post is his own, then he will be allowed to update it. But other "author"s like “Bizley” and “softark” are not allowed because the rule returns false and can’t proceed to “author”.

It’s because we want to have a role “admin” who can update any post without considering its author, and a normal role “author” who can update only the posts that he/she has created.

If you add “AuthorRule” to “updatePost”, either “admin” can not update other persons’ posts, or any “author” can update any posts, depending on how you specify the rule and how you call “can()” method.

nguyendh · October 9, 2015, 3:40pm

thanks guys. i got it now.