RBAC addChild not work if adding role

yiisoft / yii2

Yii 2: The Fast, Secure and Professional PHP Framework

http://www.yiiframework.com

BSD 3-Clause "New" or "Revised" License

14.23k stars 6.91k forks source link

RBAC addChild not work if adding role #3163

Closed gimox closed 10 years ago

gimox commented 10 years ago

code:

$createPost = $auth->createPermission('createPost');
$createPost->description = 'create a post';
$auth->add($createPost);

// add "readPost" permission
$readPost = $auth->createPermission('readPost');
$readPost->description = 'read a post';
$auth->add($readPost);

// add "reader" role and give this role the "readPost" permission
$reader = $auth->createRole('reader');
$auth->add($reader);
$auth->addChild($reader, $readPost);

// add "author" role and give this role the "createPost" permission
// as well as the permissions of the "reader" role
$author = $auth->createRole('author');
$auth->add($author);
$auth->addChild($author, $createPost);
$auth->addChild($author, $reader);

i can not read reader premission from authors, no error simply return always false;

qiangxue commented 10 years ago

How do you assign the role? How do you check the access?

gimox commented 10 years ago

i follow the guide for default role.my user has all author children but not reader children. i use Yii::$app->user->can('readPost')

i get false for user author

qiangxue commented 10 years ago

What are the rules associated with the roles?

gimox commented 10 years ago

this is my console auth file

https://gist.github.com/gimox/11042750

this is the rule https://gist.github.com/gimox/11042924

i create auth from console. it correct create rba.php file in my config i declared default roles in my User model i have field role. i correct assign the role stored in my role field

if i check with user role agencyManager viewAgenziaOwn it return true if i check manageOperators it return false;

gimox commented 10 years ago

@qiangxue if i not use default rules it load permission of child roles

qiangxue commented 10 years ago

Please read my comment here for the reason: https://github.com/yiisoft/yii2/issues/3151#issuecomment-40806444

qiangxue commented 10 years ago

First your execute() should return a boolean. Second because your two roles have parent-child relationship, if the child rule fails during checkAccess(), the parent will be marked as failure too. You should modify your rule definition to not fail the parent.

gimox commented 10 years ago

ok thanks... the bad one is that i undestrand the concepts and it can not be used for complex rules. or for rules that are different to very simple... so for me this design is meaningless. i regret yii2 alpha...

qiangxue commented 10 years ago

That's how RBAC works. If yii2 alpha works for you, it means it has some issues. In summary, the rules for default roles have to respect hierarchy of the default roles as well.

qiangxue commented 10 years ago

Please refer to the new doc: https://github.com/yiisoft/yii2/commit/e04dca4daea7c2ba86396332d6e426454dfbfe03