Inherited User Identity

[pavlm]

Hello, nice extension. I have some troubles configuring forum. As i see, there are two config scenarios: standalone forum users, and forum connected to app users. I need to use third scenario - when app and forum is loosely coupled, when app and forum have their own user tables and rbac tables, but app logged user also logged in to a forum. Is it possible out of box?

[bizley]

In case of inherited user identity Podium only relies on fact that user is logged in and in one case it checks user's password so it basically does nothing with user original table and the whole Podium data is stored in Podium tables anyway. What exactly is the case you are looking for?

[pavlm]

I've tried two variants of advanced config: 1st config: 'userComponent' => 'user' In this case forum uses app user and app rbac settings. But i wanted separate rbac's for app and forum. In my case application rbac doesn't contain 'podiumAdmin' role, so there is no admin access (http 403 error).

2nd config:

            'userComponent' => [
                'class' => 'bizley\podium\web\User',
                'identityClass' => 'app\models\User',
            ],

In this case separate rbac used - its ok. But Podium automatically creates linked user, what is not needed in my case. I wanted to control forum user creation from the application, we have many users and not all of them will be on the forum. So i need to turn off auto registration in Podium.

Sorry for confused description.

[bizley]

In case of configuration like 'userComponent' => 'user' RBAC component is not automatically inherited as well - you need to add 'rbacComponent' => 'authManager' (or similar) to inherit it. At least it should work like that, please let me know if it's not the case.
Anyway, in that case RBAC should be separated from main app.

Every userComponent setting other than default true ends with inherited identity linked to Podium tables - otherwise Podium can not gain control over forum member data (at least without some special tables mapping).

Please check again your 1st config and let me know if there are problems with it because this config looks like case you are after.

[pavlm]

More info about 1st config (without additional 'rbacComponent' configuration):

• if imperative access check is used, it works ok. User::can(Rbac::PERM_DELETE_OWN_POST, ...
• if declarative access check in controller behavior is used, it fails https://github.com/bizley/yii2-podium/blob/master/src/controllers/AdminController.php#L91

So it depends on type of access check.

[bizley]

Oh my... You are right. This is bug and will be fixed in 0.6. Thanks for pointing that.

[pavlm]

Ok, thanx. What about optional user auto registration?

[bizley]

Should it be something like:

• there is no registration option,
• access to Podium is granted through additional mechanism,
• separated RBAC and inherited user component.

How does it look?

[pavlm]

I think it can be a config settings:

• enableAutoRegistration = true, this controls optional registration in BaseController https://github.com/bizley/yii2-podium/blob/master/src/controllers/BaseController.php#L193
• enableProfileEdit = true, this can make forum profile fields (username, timezone, email) read only

Application will be responsible to register forum users by request. App will use internal Podium objects like RBAC and user model. Also enableAutoRegistration flag can hide links to 'account/login'

[bizley]

I could go for the following scenario:

• additional Podium parameter that allows control over Podium access (could be closure-like),
• parameter works only in case of inherited user component.

Podium account is created automatically only in case this parameter returns true.
I prefer to keep Podium-only fields to be editable from within Podium. Making them read-only is weird (why?) and allowing them to be edited from outside is difficult.

With options like that application says who can get account at Podium and from this point the rest is the same - Podium creates linked account, register and log in links are hidden.

[pavlm]

It will be nice. Read-only profile needed for unified user profile. When user changes his application profile, then changes will be propagated to his forum profile (by application). But this task is not very important and can be achieved with application means.

[bizley]

Two new parameters in 0.6:

• accessChecker callable returning access type,
• denyCallback callable to call when access is denied.

accessChecker should return one of integers:

• 1 for member access (allows registering and signing in),
• 0 for guest access (allows only forum viewing as guest),
• -1 for no access.

In case on no access custom denyCallback can be set otherwise Podium redirects to the target URL of goHome() method.

[pavlm]

Thank you.

[bizley]

I keep this open untill 0.6.

[bizley]

Released with 0.6