RBAC Design for List Views

Yii 2.0 General Discussions
1

I created the following RBAC design to view files:

7426

Screen Shot 2017-08-09 at 18.07.33.png

It is designed to check the access for a single file with the action: file/view?id=1 and works as following:

[list=1]

[*]Administrator -> Allowed to view all files

[*]Manager -> Allowed to view files of same application which are no system files

[*]Limited -> Allowed to view my own files which are no system files

[/list]

I then started to create a filtered file list view with the action: file/index. Unfortunately, I don’t have a parameter to pass on to the rules, since I’m showing a list of them. I was thinking of implementing it as follows, but the rules obviously return false, since they have no file to check.




if ($user->can(Permissions::FILE_VIEW_NOSYSTEM)) {

    $query->andWhere(['!=', 'typeV', '-1']);

}


if ($user->can(Permissions::FILE_VIEW_OWN)) {

    $query->andWhere(['uploaded_by' => $user->id]);

}

The only design I was able to come up with, is to add a whole new set of permissions without rules for the list view. But it doesn’t seam right to me:

7427

Screen Shot 2017-08-09 at 18.35.01.png

Does someone have an idea for a better RBAC design, which also works with lists?

2

I was approaching this the wrong way and was overthinking things. Side effect of two weeks vacation ;) I updated my RBAC design to a simpler one:

7429

Screen Shot 2017-08-10 at 13.47.25.png

I removed the rules FileSameAppRule and FileNotSystemRule, but instead am using a custom File::findVisible:




/**

 * @return \yii\db\ActiveQuery

 */

public static function findVisible()

{

    $query = self::find()

        ->select('f.*')

        ->from('tbl_files f')

        ->innerJoin('map_users_apps ua', 'ua.appID = f.appID and ua.userID = :user', ['user' => Yii::$app->user->id]);


    $condition = ['and', ['f.appID' => PitApp::currentId()]];


    // premissions

    $user = Yii::$app->user;


    if (!$user->can(Permissions::FILE_VIEW_SYSTEM)) {

        $condition[] = ['!=', 'f.typeV', '-1'];

    }


    if (!$user->can(Permissions::FILE_VIEW)) {

        $condition[] = ['f.uploaded_by' => $user->id];

    }


    return $query->where($condition);

}