RBAC Restrict backend site

Yii 2.0 General Discussions
1

Hi, i have question and I have hope that will be helpful

If i would like restrict entry backend site for normal user I can use RBAC and create roles. [Admin],[User], then create permissions, e.g entryBackendSite and assign the role to a user.

e.g

role: Admin,user

permission: entryBackendSite

assignment Admin- userId1 user- userId2

now i can check permisions for each controller and each controller Action in backend


if( Yii::app->user->can("entryBackendSite")) { 

//CODE 

}

 else  

 throw new ForbiddenHttpException("you not have a permissions");}

advantages: i can limit permissions for user and fulfill a goal.

disadvantages: I have to check each controller action and each Controller in backendSite

maybe is any simpler solution?

2

You can place your check permissions code in the method beforeAction() of your backed controller and do not check each action separately




public function beforeAction($action)

{

    // your custom code here, if you want the code to run before action filters,

    // wich are triggered on the [[EVENT_BEFORE_ACTION]] event, e.g. PageCache or AccessControl


    if (!parent::beforeAction($action)) {

        return false;

    }


    // other custom code here

    if( Yii::app->user->can("entryBackendSite")) { 

        //CODE 

    }

    else  

        throw new ForbiddenHttpException("you not have a permissions");}




    return true; // or false to not run the action

}

OR check aceess with this way




if (\Yii::$app->user->identity->getRole() != 'admin')

    throw new ForbiddenHttpException("you not have a permissions");}


class User extends \yii\db\ActiveRecord implements \yii\web\IdentityInterface

{

    ...


    public function getRole() {

        //getting user role from database

    }


    ...

}

OR




if (\Yii::$app->user->identity->role != 'admin')

    throw new ForbiddenHttpException("you not have a permissions");}
3

yii\filters\AccessControl

If backend is implemented as a module, it can be added to the module class:




class AdminModule extends \yii\base\Module

{

public function behaviors()

{

  return [

	[

    	'class' => AccessControl::className(),

   	'rules' => [

      	['allow' => true, 'actions' => ['login']],

      	['allow' => true, 'roles' => ['Admin']],

    	], 

	],

  ];

}

}

If backend is a separate application (like in advanced template), behavior can be added in the configuration:




'as restricted' => [

  'class' => 'yii\filters\AccessControl',

  'rules' =>  [

	//...

  ],

],
4

@Soul

first solution seems interesting, but i not understand, what do I need to put in place //code ? I want check all action controllers, and there i can’t do this. Can you show very simple example for one controller act

5 



class SiteController extends Controller

{

    public function beforeAction($action)

    {

        if (!parent::beforeAction($action)) {

            return false;

        }


        if(!Yii::app->user->can("entryBackendSite"))

            throw new ForbiddenHttpException("you not have a permissions");


        return true;

    }

}

All actions in controller SiteController will be avaiable only for administrators

6

Ok, but if I have in database hierarchy structure roles e.g Admin,User. (RBAC)

Only Admin can create,update,delete Category. So how i can this write? I also tried

this code which should call method can() who will check permission… but it not working correctly. What is wrong? or please give me other way to solution my problem, maybe before Action()?


    public function behaviors()

    {

        $behaviors['access'] = [

            'class' => AccessControl::className(),

            'rules' => [

                [


                    'allow'=>true,

                    'roles'=>['Admin'],

                ],


            ],

        ];


        return $behaviors;

    }