Simple access control for Facebook App

Yii 1.1 General Discussion
1

I need to implement a very simple access control for Facebook App I’m currently building on. Once the user the app, I need to match the user’s profile ID against the admin profile IDs I listed in the config to decide whether they have admin privileges or not. Base on it I need to allow/deny methods. How can I define this biz rule & access control in Yii way?

2

What I would do in the simplest way (no RBAC): change your authenticate function from your UserIdentity component into:


class UserIdentity extends CUserIdentity

{

	public function authenticate()

	{

		// Suppositions:

		// 1) 'login', 'password' and 'profileId' would be your DB field names and also User model attributes

		// 2) 'username' is the LoginForm model attribute and site/login view form input element

		$user = User::model()->findByAttributes(array('login'=>$this->username));

        	if($user===null)

			$this->errorCode=self::ERROR_USERNAME_INVALID;

		else if( /* put here your method of hashing password */ ) !== $user->password)

			$this->errorCode=self::ERROR_PASSWORD_INVALID;

		else {

			$this->errorCode=self::ERROR_NONE;

			// Now, check whether the logged user is an admin, for instance, by checking profileId against a param

			$this->setState('isAdmin', ($user->profileId == Yii::app()->params['adminProfile']));

        	}

		return !$this->errorCode;

	}

}

Using that boolean, you can check through your app if the logged user has the admin profile:

In a controllers (accessRules)


'expression' => '$user->isAdmin'

or in your views


if(Yii::app()->user->isAdmin) {  //returns true or false

	…

}

Hope that helps. In order to test that, don’t forget to logout and re-login and the session would otherwise not contain the ‘isAdmin’ state.

3

Thanks for the great snippet! In fact, rbac would be a overkill for my requirement and your solution would be more appropriate for me. Is it possible to restrict all methods in the all controller that starts with ‘admin’ to only admin? I’ll put all user & admin actions in single controller and need to differentiate one from other and also to imply the access control.

4

I don’t really understand. What I do generally is restrict actions in accessRules. Example using the default gii-generated CRUD and the isAdmin boolean plus some isEditor other boolean (same logic):


<?php

class SomeController extends Controller

{

	public $layout='//layouts/column2';

	public function filters()

	{

		return array('accessControl');

	}


	/**

	 * Specifies the access control rules.

	 * This method is used by the 'accessControl' filter.

	 * @return array access control rules

	 */

	public function accessRules()

	{

		return array(

			array('allow',  // allow all authenticated users to perform 'index' action

				'actions'=>array('index'),

				'users'=>array('@'),

			),

			array('allow', // allow authenticated Admin or Editor users to perform 'view', 'create' and 'update' actions

				'actions'=>array('view', 'create', 'update'),

				'users'=>array('@'),

				'expression'=>'$user->isAdmin || $user->isEditor'

			),

			array('allow', // allow Admin users to perform 'admin' and 'delete' actions

				'actions'=>array('admin', 'delete'),

				'users'=>array('@'),

				'expression'=>'$user->isAdmin'

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}


(…)

}