[yogesh_sharma]

Hi,
I was using the RBAC and got following error

>> rbac grant roles=id:2 permissions=id:%
PHP Warning:  Call-time pass-by-reference has been deprecated in protected\commands\shell\RbacCommand.php on line 4
39

What is minimum PHP version I should use or what else I should do to fix it.

[megabr]

I am using php 5.3

[SlowDown]

Hi, Oleksiy.

I've not try it yet, but I think it is a nice module.
Will much appreciate if you include postgresql dump.

-majin-

[Paul Apostol]

Thanks for the example.
Very nice work
Instead of having php bizRules I will look to see if I can attach access levels.
As ex, for a structure like Holding/Firm/Department/Emplyee to have related access levels over the actions

Paul

PS: I'm missing something or the edit of the roles permisions is not done?

[oleksiy]

Quote

PS: I'm missing something or the edit of the roles permisions is not done?

Something is wrong, editing should be fully working. What happens when you click on 'Edit' link in 'Action' column?

[Paul Apostol]

The problem is under Roles when I'm clicking on Permissions. I think I misunderstood how is working. It shows only the tree (app and model) and the tree is expanding. No other options and no effect on save.
roles_has_permissions is not changed after save.
I created a group "Test" and I don't have a clue how to allocate the permissions.
THX
Paul

EDIT:
It has to be a checkbox tree? I don't have any checkbox. And no JS errors.
A strange tree if I may.

Attached File(s)

•  rbactree.jpg (14K)
  Number of downloads: 42

[oleksiy]

Looks like an extension is missing: JQueryCheckTree. There should be a collapsable tree with checkboxes.

[Paul Apostol]

I have it. I just unzipped your archive. I've changed only the config for db and framework. I'll investigate and I'll tell you if I found something.

[megabr]

The system for add users_to_goups when  groups_as_roles need another way to usability... I think.... I am try think how to...

legend: d=del,update=u,create=c,list=l

modules<-has->actions:
-------------------
blog        | d,c,u,l,s
chat        | d,c,u,l,s
-------------------
groups <has> permissions:
-------------------
admin      | d,u,c,l
cpd        | c,l,
user        | l
sup        | u,
--------------------
user_has_groups
example:
-----------------
user        group
-----------------
max        sup
max        cpd
tom        cpd

them user max can/has: roles/permissions sup+cpd=c,l,u

In my case users are part of task groups, in this case the number of records in databse are redused. dramatically,

for example I have 500 users group in 4 level, I setup 4 groups, with especific roles permissions, latter we add same user to corresponding group level.

[Paul Apostol]

Anyway, till I'll found the problem I have a question: User can have multiple roles? Looks like it could.
Also I need an advice. What I need is much more complicated but could be a start.
I need an authorization system that shows to certain users only few of the modules (I'll set them in the main menu) and certain controllers (secondary menu) and they can see only information inserted by them, or inserted by their colleagues in the department, or in the firm, etc. Any advice?
Thank you,
Paul

EDIT:
When the tree is taken through Ajax maybe a script must run.

[SimonZ]

There's a problem in Rbac.php
On Select distinct must change
AND u.id=:id
with
AND u.username=:id

and in RbacFilter.php when access is true i've no vars named
$p['title']  and $p['id']

[oleksiy]

Hi Simon,

You are using old Rbac code, please have a look at the snapshot I've attached few posts before.

and you should use supplied RbacUserLoginIdentity class as User Identity. Then you wont need to change to "AND u.username=:id"

Quote

There's a problem in Rbac.php

On Select distinct must change

AND u.id=:id

with

AND u.username=:id



and in RbacFilter.php when access is true i've no vars named

$p['title']  and $p['id']

[oleksiy]

HI,

1) Yes, user can have multiple roles.

2) There are several solutions for your question. First is to make use of BizRule column, that is business rule - php code that can perform additional checks while evaluating the permission. Second, you can have a separate action, that will only update records that user can update. You will define a separate permission for this action and assign it to some role.

Quote

Anyway, till I'll found the problem I have a question: User can have multiple roles? Looks like it could.

Also I need an advice. What I need is much more complicated but could be a start.

I need an authorization system that shows to certain users only few of the modules (I'll set them in the main menu) and certain controllers (secondary menu) and they can see only information inserted by them, or inserted by their colleagues in the department, or in the firm, etc. Any advice?

Thank you,

Paul



EDIT:

When the tree is taken through Ajax maybe a script must run.

[oleksiy]

This is quite nice idea, I will think about it!

Quote

The system for add users_to_goups when  groups_as_roles need another way to usability... I think.... I am try think how to...

[Paul Apostol]

Hard to chose. I was thinking at both solutions but first is hard to admin if you don't know PHP, second is not very flexible (coded for a specific problem).
Anyway, because I want dropdowns to set the module, controller and actions I was thinking on another idea: to make a set of bizRules to chose from, nicely labeled (another dropdown).
The question is: what's happening on multiple roles on one user? Even for the actual style of bizRules? (because you are able to put the same permission twice, with different bizRules)
Thank you,
Paul

[oleksiy]

If any of  permissions for specified module/controller/action set allows access - then access is granted.

Quote

The question is: what's happening on multiple roles on one user? Even for the actual style of bizRules? (because you are able to put the same permission twice, with different bizRules)

Thank you,

Paul

[megabr]

Quote

because I want dropdowns to set the module, controller and actions I was thinking on another idea: to make a set of bizRules to chose from, nicely labeled (another dropdown).

about layout, are you looked this image?
http://www.yiiframew...ttach=258;image

posted here:

http://www.yiiframew...00.html#msg7900

[Paul Apostol]

Hello,
Yes I had a look, but the screens show an access to modules of the site (maybe it's an idea, I will think about it) and I need access to data.
What I don't like is that it doesn't fit in the actual design of RBAC lib, and is bloated with a lot of checkboxes.
What I like is that is everything in one place.
In the actual display model the easiest  way to do it is to have a set of tables with the structure of the application and dropdowns for each level of it. At the end we can add a field (another dropdown) which sets the level of access. (in fact can be a set of bizRules stored in db.
(my main problem now is how to make autosubmit in the permission form to refresh the controller list and actions depending on modules)
Thanks,
Paul

Edit:
1. maybe with the help of this plugin:
http://plugins.jquer...project/cascade

2. Still the checkbox tree doesn't display correctly in the Roles page. No idea why

[Paul Apostol]

Hello,
I still didn't figure why the checktree doesn't work, I have a guess that "run" part of the extension doesn't run (i didn't found in the generated source the script defined there). I'll keep searching.
I've changed a bit the BaseAdminController to fit other data needs.
1. I added in actionUpdate, just befor the ajax check

$data = array_merge(array('model'=>$model, 'scenario'=>$scenario, 'modules'=>$modules), $this->extraData());

2. instead of

$output = $this->renderPartial('_form', array('model'=>$model, 'scenario'=>$scenario), true, false);

I have now

$output = $this->renderPartial('_form', $data, true, false);

3. I added a new function:

public function extraData(){ return array();}

and now, by overriding this function in the controller you can send more data to the view. As ex:

public function extraData()

    {

    	$criteria=new CDbCriteria;

		$modules=modules::model()->findAll($criteria);

		return array('modules'=>$modules);

    

    }

Hope that helps,
Paul

PS: same for actionCreate

[Paul Apostol]

Found the problem with the tree (I forgot to say that I'm using windows for development)
the problem is DIRECTORY_SEPARATOR
if we use

'/'

instead will be better for everybody. It's better for portability, anyway.
Paul