search

yii-starter-kit / yii2-starter-kit

Yii2 Starter Kit
http://yii2-starter-kit.terentev.net
Other
1.42k stars 648 forks source link

why frontend and backend identity by same user?how split them #331

Closed buuug7 closed 8 years ago

buuug7 commented 8 years ago

normally frontend user could not access backend ,why your template have set this ,i find most but not found a perfect way to split backend user and frontend user

trntv commented 8 years ago

they are splitted by loginToBackend permission.

https://github.com/trntv/yii2-starter-kit/blob/master/common/migrations/rbac/m150625_215624_init_permissions.php

buuug7 commented 8 years ago

in all your application you advise use one table store backend manager and frontend member ? is it?

trntv commented 8 years ago

yes. and i don't see any problem here

trntv commented 8 years ago

333

buuug7 commented 8 years ago

but i have two table store the frontend members and backend manager ,there are some people said it is not security for store fontend user and backend manager in a single table,how can i do?

rowasc commented 8 years ago

@buuug7 There is a role (named "user") specifically to avoid people to login into the backend, since that role does not have the loginToBackend permission. I do not see how this is less secure than having different tables for admin users. I assume you will not be creating a different db user for that kind of logins with much more limited Grants, so the potential for damage is still the same, as long as you do not do something like assigning the loginToBackend permission to the user Role, but you need to really go out of your way to do so, so it's not a big risk.

About separating the tables: \ You could still do that, yes, with some work, and basically ignored the whole role system. I have seen some systems that do it, but it's not a widely used approach. The biggest CMS systems do not do it like that (see, for instance, how Wordpress does it: https://codex.wordpress.org/Roles_and_Capabilities) so maybe that's a good example to discuss with whomever is pushing you/advising you to do this. The whole point of having a RBAC and AC is to be able to discriminate between users safely.

In any case, I seriously do not see how this would be beneficial to the starter kit project itself, which is why, I imagine,trntv closed this thread.

Best of luck, Romina On Dec 11, 2015 5:40 AM, "buuug7" notifications@github.com wrote:

but i have two table store the frontend members and backend manager ,there are some people said it is not security for store fontend user and backend manager in a single table,how can i do?

— Reply to this email directly or view it on GitHub https://github.com/trntv/yii2-starter-kit/issues/331#issuecomment-163875801 .