You are viewing revision #9 of this wiki article.
This version may not be up to date with the latest version.
You may want to view the differences to the latest version or see the changes made in this revision.
Before riding this article, you should first learn this How to setup RBAC with a php file
It is actually mentioned in the documentation
CPhpAuthManager : CPhpAuthManager is mainly suitable for authorization data that is not too big (for example, the authorization data for a personal blog system). Use CDbAuthManager for more complex authorization data.
So you maybe mistakenly thought it is perfect and will allow you to manage the roles of the next website with million users, it doesn't ... BUT there are ways to improve it actually, if your hierarchy structure is simple, so you can serve up to million users with it
Why CPhpAuthManager can be evil? ¶
At the first glance what is the problem? You set auth.php file, it has the rules - no problems.
But actually when you dig dipper you understand there is a lot of issues with it .
Lets take a look at the CPhpAuthManager::assign The key to start understanding is this snippet:
when you assign a role to some userId, it is added to the existing assignments, userId serve as key, and that is how the access is checked... just like
Now as you saw in the code, there is no sessions there, so if you don't save next time user go to another page, no roles...
so you should save at the end of role assignment or revoke (at and of cycle, not in the middle!!!)
Now to the punch line
what it does is it takes all the assignments and roles and just write them to auth.php
THe problem: Remember?
So as you I think understood, auth.php will be overwritten, and rows with users ID will be added to each role...
So if you have for example 10000 users, you will have about 10000+ rows inside auth.php loaded every time !!!
if you have 100000 it will just break...
cause it overwrite it every time!!!
What to do? ¶
So as mentioned in the documentation, if you don't use some smart strategy, you should not use CPhpAuthManager for project with more than few hundred users!
But... if your hierarchy is simple like:
banned, guest, user, moderator, admin
And in most of the websites this is the case...
You can follow this rules and handle a million users easily!
The rules ¶
1) Never revoke if you don't delete the user or change row...
2) assign role and do CPhpAuthManager::save if and only if the user is assigned with moderator or admin rule
3) in accessControl never use
Assuming that you have some role field in your users table...
the banned rule will serve you in the authorization... no reason to assigned save it at all, just don't login banned users!
instead of 'roles'=>array('user') always use the @ for guests use ? Like this:
'users' => array('@')
3) use the
only for moderators and admins!
If you follow this rules, if you have 1 million of users. You will have about 100 moderators and few admins... so it is peace of cake for CPhpAuthManager if you follow the rules
You just need to remember that every role assignment add row to your auth.php file that loaded every time!
I described the issue, but it is always better to do it yourself to understand in more depth what is the "problem" with it. And don't understand me wrong... it is awsome! but it not ment to work with a lot of users and assignments!
just do this loop after you set the basic rules in auth.php
$auth = Yii::app()->authManager; for($userID=1;$userID<10000;$userID++) $auth->assign('user', $userID); $auth->save();
execute it and after this open the data/auth.php