RBAC doc more explicit

[gimox]

RBAC doc seem to be criptic, can anyone add doc more usefull for set a phpmanager RBAC? (like old one)

[marciocamello]

Example

$auth->assignToApplication('frontend', $role); $auth->assignToApplication('backend', $role); etc

[samdark]

RBAC rules aren't specific to any application. You're just using these when you need it in any application that has authManager configured.

[naturalc]

great, everyone talks about php file version, what about the DB version? All i've been able to find is the migration script to create the database tables. so I've done that, now what? I see people are saying create this file or that file and put stuff in them, but they never specify what files go where and what goes in which files.

so, step one, migrate DB tables -- done step 2, add to config file -- done 'authManager' => [ 'class' => 'yii\rbac\DbManager', 'defaultRoles' => ['admin', 'user', 'guest'], ],

now, how do I create the rules and roles? and how do I check them. thanks!

[samdark]

Using RBAC API.

[naturalc]

unfortunately that sentence means very little to me. I understand what you are saying, but have no idea how to complete that statement.

this is what i've found

Now you can add roles by simply writing the following code to your corresponding controller.

use yii\rbac\DbManager;
$r=new DbManager;
$r->init();
$test = $r->createRole('test');
$r->add($test);

And you can assign it to the users by

$r->assign($test, 2);

where would this go? what files? what about the other files people say they created? and this doesn't create any rules for that "test" role

[samdark]

http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#building-authorization-data

[samdark]

Usually it goes into migrations http://www.yiiframework.com/doc-2.0/guide-db-migrations.html

[naturalc]

okay, that makes sense that you would put the rules in a migration script. i was wondering why people were saying put them in each controller. but, as far as the first link you gave, I've already read through that a few times, that's all about the file version not the db version. or do you follow everything the same?

[naturalc]

You create a separate file for each rule, such as AuthorRule, and put them in the app folder? why wouldn't you put them in the common folder?

[naturalc]

also, where does this go? it doesn't say in the document

The rule above checks if the post is created by $user. We'll create a special permission updateOwnPost in the command we've used previously:

// add the rule $rule = new \app\rbac\AuthorRule; $auth->add($rule);

// add the "updateOwnPost" permission and associate the rule with it. $updateOwnPost = $this->auth->createPermission('updateOwnPost'); $updateOwnPost->description = 'Update own post'; $updateOwnPost->ruleName = $rule->name; $auth->add($updateOwnPost);

// "updateOwnPost" will be used from "updatePost" $auth->addChild($updateOwnPost, $updatePost);

// allow "author" to update their own posts $auth->addChild($author, $updateOwnPost);

[samdark]

Yes. There's no difference if you're using PHP or DB storage for RBAC, API stays the same and the same guide applies.

[samdark]

You're free to put classes where you feel it's OK them to be. Class autoloader will load these if namespace matches directory structure.

[samdark]

Adding rules, child permissions etc. is all about building RBAC hierarchy so I'd put it into either migration or admin panel.

[samdark]

Assigning role to user id should go into two places:

1. Creating new user.
2. Admin panel where you can give regular user more permissive role.

[puppyceceyoyo]

I am using DBManager, and I do not want to use defaultRoles as in I dont want to assign all people with a role as long as they are authenticated by openID. however, i found that even after i done all these things - create role, permissions, assign role to user ( i do in console controller ), it has been saved into database auth_ table, but it seems did not know my role after i have been authenticated. I use Yii::$app->user->can('mycreatedpermission') , but it is appear NULL, how can i solve this?

When i tried to use defaultRoles, it looks like working but I do not want everyone authenticated been assigned to all those defaultRoles. So how the 'can' function works?it seems did not know my role from the database auth_ table..

So instead of using Yii::$app->user->can('xxx'), I replace it with $auth->getAssignment() or getPermissionsByUser() in my controller to check the role or permission. In DBManager, lot of method to use though. :+1: :)

But i still would like to know if my way to get this done is correct or not. Thanks.

[samdark]

That's weird. Yii::$app->user->can($permission) checks if current user is logged in. If he is, it searches for Yii::$app->user->id in auth assignments. In case of DB manager it queries something like SELECT * FROM auth_assignment WHERE user_id = :currentUserID. After getting role assigned it traverses permissions graph going from permission to role. If it got there, access granted. If not, access is denied.

So in your case:

1. Make sure there's row in auth_assignment.
2. Make sure auth_assignment.user_id is the same as Yii::$app->user->id.
3. Make sure that auth_assignment.item_name is user's role (the same that works in case of defaultRoles).

[puppyceceyoyo]

I had run a console controller, so that my roles, permissions, created at that time already. Yes, no.1 is yes, i have 3 rows with different user with different role. no.2: my auth_assignment.user_id is same as my openID user model name which is Yii::$app->user->identity->profile['name'] . *please note that I using OpenID, and my Yii::$app->user->id is different. And now i didnt apply any custom AccessRule. no.3 : yes it is.

That's why I able to use DbManager::getPermissionsByUser() or any of DBManager function and it returns me something that is correct.

So, is it my no.2 need to be fixed for me to able to use Yii::$app->user->can($permission)? But how should I fix this? How can I make it check my Yii::$app->user->identity->profile['name'] instead of Yii::$app->user->id ?

Thanks.

[samdark]

Yes, you need to fix point 2. It won't check name. You have to use ID when doing assignments.

[puppyceceyoyo]

@samdark ok, thank you :)