Question about managing projects and issues after RBAC is implemented

I am not sure if I made some mistakes or if its just the part of the application that is not implemented and left to us as an exercise but after finishing the book whenever I click a manage something link I get the error:

""Home » Error

Error 403

You are not authorized to perform this action.""

My manage links look like this:

"http://localhost/trackstar/project/admin" <–manage project

"http://localhost/trackstar/issue/admin/pid/1" <–manage issue if accessed from project 1

only thing I can access and manage right now is the systemmessage part of the admin module.

I would like some clarification if its a bug or non implemented stuff and if its not implemented just a hint what to change or add for it to work.

Thanks a lot.

Most of the actual RBAC Yii::app()->user->checkAccess() stuff is left up to the reader to implement. The book’s intention is to just expose you to these options for access control.

The "management" of the specific entities like projects and issues is still tied to the simple access control defined in the controller method:


public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'index' and 'view' actions

				'actions'=>array('index','view', 'adduser'),

				'users'=>array('@'),

			),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('@'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete'),

				'users'=>array('admin'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}

The rule dealing with access to the actionAdmin() method is:


array('allow', // allow admin user to perform 'admin' and 'delete' actions


				'actions'=>array('admin','delete'),


				'users'=>array('admin'),


			),

so, if you are beyond chapter 7 (changing over to the DB for authentication), you will need to either have a user that is identified as ‘admin’, or add the ‘roles’ property to this simple access control config with a list of allowed roles…or just remove the simple access filter altogether and implement the RBAC checkAccess() calls in the action methods.

Thanks for the response, I removed the simple control lines from all the controllers and now I’m trying to build the RBAC access.

Thinking I’ll need to change every action method in each controller to have a different check I took the check from the addUser method and changed the check to adminManagement in the actionAdmin method like this


public function actionAdmin()

	{

		if(!Yii::app()->user->checkAccess('adminManagement',array('project'=>$project)))

		{

			throw new CHttpException(403,'You are not authorized to perform this action.');

		}

		$model=new Project('search');

		if(isset($_GET['Project']))

			$model->attributes=$_GET['Project'];


		$this->render('admin',array(

			'model'=>$model,

		));

	} 

I got this error:


PHP Error


Description


Undefined variable: project


Source File


C:\localhost\htdocs\trackstar\protected\controllers\ProjectController.php(175)


00163:         $message = null;

00164:         

00165:         $this->render('index',array(

00166:             'dataProvider'=>$dataProvider,

00167:             'sysMessage'=>$message,

00168:         ));

00169:     }

00170:     /**

00171:      * Manages all models.

00172:      */

00173:     public function actionAdmin()

00174:     {

00175:         if(!Yii::app()->user->checkAccess('adminManagement',array('project'=>$project)))

00176:         {

00177:             throw new CHttpException(403,'You are not authorized to perform this action.');

00178:         }

00179:         $model=new Project('search');

00180:         if(isset($_GET['Project']))

00181:             $model->attributes=$_GET['Project'];

00182: 

00183:         $this->render('admin',array(

00184:             'model'=>$model,

00185:         ));

00186:     }

00187: 



I’m a total newb and maybe asking dumb questions but hopefully I’ll learn something from it.:)

If you do not get that to work you can modify your accessRules() like this:


			array('allow', // allow owner and admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin', 'delete'),

				'roles'=>array('owner','admin'),

			),

That will let the owner of the project and the admin to perform admin and delete actions.

I hope that it clarified your access problems and helped you on your way.

If you got more questions just ask. I am modifying the project from the book too…

If anyone have any comments regarding using this method instead of the other then post a comment so I’ll know…

Happy coding my fellow yii brothers B)

I was pretty clueless but at least I figured out my last question.

My authassigment table only had the admin in it cause of no user assigned to any project unless its manually assigned with the adduser method.

My question now is:

When an user creates a new project, I want to automatically update the authassigment table making that user an "owner" so they can add other users to it and have all the other permissions. Where exactly would I put the code, the authManager, the bizrule that would make sure the correct user is added as an owner and the authAssign that would update the database? Can it and should it be included directly in the create method in the project controller or where?

Thanks in advance to anyone who can help me.