Docs: RBAC sample code improvement

Roosmaa · August 25, 2009, 3:31am

Under Authentication and Authorization there is this example:

If the authorization rule is associated with a business rule which requires additional parameters, we can pass them as well. For example, to check if a user can update a post, we would do
$params=array('post'=>$post);

if(Yii::app()->user->checkAccess('updateOwnPost',$params))

{

    // update post

}

In my opinion the example could be the following:


$params=array('post'=>$post);

// First the updatePost role is checked,

// then the updateOwnPost role

if(Yii::app()->user->checkAccess('updatePost',$params))

{

    // update post

}

Which better demonstrates how the child-parent relationship for the updateOwnPost works.

pestaa · August 25, 2009, 6:58am

But updateOwnPost is a less restrictive role. This way people with updateOwnPost role, but without permission to updatePost would be also denied.

Roosmaa · August 25, 2009, 11:03am

And that’s what I thought as well, but it doesn’t work that way.

Say User A is an administrator who can updatePost;

User B is an writer who can updateOwnPost;


$params = array(..);

getUser('User A')->checkAccess('updatePost', $params) // == true

getUser('User A')->checkAccess('updateOwnPost', $params) // == false


getUser('User B')->checkAccess('updatePost', $params) // == whatever updateOwnPost bizRule returns

getUser('User B')->checkAccess('updateOwnPost', $params) // == whatever updateOwnPost bizRule returns

so when checking the updateOwnPost you really have to check for updatePost as well, which is redundant and misses the point of permission inheritance. When checking for updatePost the underlying system checks also the updateOwnPost and if the user has it, it means the user can updatePost.

Hope it clarified it a bit more.