Role Based Access Management

Yii 1.1 General Discussion
1

Hello,

I am trying to use roles for access management. I already read this page :

http://www.yiiframework.com/doc/guide/1.1/en/topics.auth

And a few posts on the forum.

All I want is to use the field role from my database to set a role to the user, in order to use the Access Control Filter in my controlers.

So I just tried to add those lines to my UserIdentity :

$auth = Yii::app()->authManager;


if (!$auth->isAssigned($model->role, $this->_id)) {

	if ($auth->assign($model->role, $this->_id)) {

		yii::app()->authmanager->save();

	}

}

But I have an exception saying : Unknown authorization item "RoleName".

So I guess that means I have all the roles I have somewhere, I tried in my conf file, but I couldn’t make it work.

So I was wondering, am I using the roles correctly ? And if I am, where should I define my roles in order to assign them ?

Thank you !

2

Please, does anyone has an idea to use database defined roles to perform access control for controller ?

Thanks !

3

first create role entry in authmanager:

$role = Yi::app()->authManager->createRole( ‘RoleName’ );

then assign it to user:

Yii::app()->authManager->assign( ‘RoleName’, $user->id );

then save:

Yii::app()->authManager->save();

there is one catch - assigning user to role is done i authManager and is persistent (you called save()). So next time this user logs in - even if you revoke him this role, authManager will have this assignement. You have to use only authManager to store authorization or synchronize every change every time user logs in (if he is still logged in changes won’t be visible untile he re-login).

4

Thank you for your answer, but I don’t think that it really is what I want to do. I wish the roles could be assgined automatically, that I could define a role with its name and an assertion like :

‘roleA’ => ‘Yii::app()->user->model->role == “A”’, and all users with the attribute role = A would be in the roleA role. (That would be in the case that my user model is stored in the CWebUser).

Is there a way to do that ? (I thought I saw that once, but I can’t remember…)

Thank you !

EDIT : Or maybe I understand what you mean. But I would just need to understand where I need to create the role. I understand that I assign the role to the user when he logs in, but should I create the role in my UserIdentity too, or is there a better place to create the roles.

If I create the role in my UserIdentity, it would look like :


$auth = Yii::app()->authManager;

$auth->createRole($model->role);

if (!$auth->isAssigned($model->role, $this->_id)) {

	if ($auth->assign($model->role, $this->_id)) {

		yii::app()->authmanager->save();

	}

}

Is this the good way to do it ?

Thank you !!

5

you can dynamically assign role like in your snippet, but you have to also check if role does not exist already or it will throw exception.

however if you like to check persmissions using expressions you can specify ‘expression’ instead of ‘roles’ in accessFilter rules:




public function accessRules()

    {

        return array(

            array('allow',

                'actions'=>array('delete'),

                'expression'=>'Yii::app()->user->model->role == "A"',

            ),

            array('deny',

                'actions'=>array('delete'),

            ),

        );

    }

this way you do not have to use authManager at all, and I think it will be best for you.

6

Thank you !

I think this will be much more easier for me using expressions. I’m going to implement that right now !

Thanks !!