Closed buuug7 closed 8 years ago
they are splitted by loginToBackend
permission.
in all your application you advise use one table store backend manager and frontend member ? is it?
yes. and i don't see any problem here
but i have two table store the frontend members and backend manager ,there are some people said it is not security for store fontend user and backend manager in a single table,how can i do?
@buuug7 There is a role (named "user") specifically to avoid people to login into the backend, since that role does not have the loginToBackend permission. I do not see how this is less secure than having different tables for admin users. I assume you will not be creating a different db user for that kind of logins with much more limited Grants, so the potential for damage is still the same, as long as you do not do something like assigning the loginToBackend permission to the user Role, but you need to really go out of your way to do so, so it's not a big risk.
About separating the tables: \ You could still do that, yes, with some work, and basically ignored the whole role system. I have seen some systems that do it, but it's not a widely used approach. The biggest CMS systems do not do it like that (see, for instance, how Wordpress does it: https://codex.wordpress.org/Roles_and_Capabilities) so maybe that's a good example to discuss with whomever is pushing you/advising you to do this. The whole point of having a RBAC and AC is to be able to discriminate between users safely.
In any case, I seriously do not see how this would be beneficial to the starter kit project itself, which is why, I imagine,trntv closed this thread.
Best of luck, Romina On Dec 11, 2015 5:40 AM, "buuug7" notifications@github.com wrote:
but i have two table store the frontend members and backend manager ,there are some people said it is not security for store fontend user and backend manager in a single table,how can i do?
— Reply to this email directly or view it on GitHub https://github.com/trntv/yii2-starter-kit/issues/331#issuecomment-163875801 .
normally frontend user could not access backend ,why your template have set this ,i find most but not found a perfect way to split backend user and frontend user