Implement RBAC management module

[joujou]

Don't store bizrule inside Db evaluated with eval().

[samdark]

@joujou any alternatives?

[rclai]

It would be great to have a graphical interface to create roles and capabilities like on gii.

[joujou]

I agree with rclai about the interface. Rights management is involved in almost every webapp so the it'd be great if the framework could give an easy and powerful to manage that. It would be sad to have no other way but using an extension to perform such a sensitive task. About the bizrule stored in the DB, I don't know what else to do but many people won't use the solution because of the idea of PHP code stored in the DB processed with eval. Class inheritance containing specific rules ? A bit like Zend_Acl. I don't know but I think the subject really disserves to find another solution. It's also important for the framework in general; it could be seen as being not really secure/professionnal/serious because of that PHP in db/eval() process.

[qiangxue]

This issue IS about the RBAC management GUI interface. The RBAC core is covered by #24.

It would be great if you could help summarize the needed features for this module. I expect the underlying RBAC core won't have big change in design.

[rclai]

A role creator for sure. Given that this is an extended user attribute or property of some sort, how will this connect to the user management that people will develop?

Oh, then I suppose the GUI should be able to detect the controllers (and perhaps the module controllers) that are available and link the roles to the controllers?

[rbryant]

IMHO, this is how it should work. A Management application that allows an admin to create a role and then do the following to it:

1. Assign access to modules based upon a system generated list of user accessible modules. Could be defined through a parameter in each model. Each module that the role should access could be selected and would have the CRUD options laid out and you could "check" the ones that this role should be able to perform.
2. Each user could be assigned one or multiple roles
3. A combination of rights through the Roles would be the Users Rights.
4. The rights Management Engine could then apply those rights through a standard way storing only data in the db.

You could include or choose not to include that rights function in your controllers. You could even define some kind of encryption code as a system configuration that obfuscated those rights in the db for extra protection. I would not be in favor of storing PHP in the tables either, but this approach would give you the same functionality without it. A Developer could extend the Rights Management code to customize behavior.

[creocoder]

Don't store bizrule inside Db evaluated with eval().

There is NO alternatives. So store.

[miraage]

About web interface - I like implementation of access rules in Invision Power Board - rows with modules and columns with crud actions.

[joujou]

Of course there are alternatives ! I think you haven't search a lot creocoder.

[creocoder]

@joujou There can be unique bizrules for every user / auth item assotiation. So if not store in db, such files size can reach 1, 10, 100 Mb. Seems you just do not solve complex RBAC tasks. So bizrules should be stored in db as main variant and yes, storing in files like alt variant.

[qiangxue]

If the RBAC module is to be used by someone who is not 100% reliable, you should not let him directly store expressions in DB. Instead, you should create GUI so that he can select some pre-defined expressions.

Internally, I don't see alternative either.

[bwoester]

I think bizRules should be splitted into callbacks and data. So instead of storing code to be executed, you store classname, (static) method name and the data that should be passed to that method. This way you know at design time which code will be executed and don't have to rely on your users to provide valid code that you blindly trust. I think this should cover almost all use cases. If there really is someone who wants to give his users the possibility to run their own code, he can still use a callback that simply eval's its param.

[psihius]

I probably have a weird view for the GUI, but I really like the idea behind the SRBAC module (we use it in all our projects). To the contrary of my case, most of the people seemed to use Yii-Rights module for that, and although it has nice UI, it's usability is way off for any serious project with lots of auth items and numerous roles. SRBAC UI, althought not pretty and somewhat not intuative at first glance, is great for handling mass assignments of stuff - it's very easy to create a role and add like 50 tasks to it in a few clicks. It also has a nice concept of "clever assignment", but it got broken at some point, probably because we hacked it a little for our special needs. We hacked it to handle multiple controller directories like "dirname.controllerAction" - we use it to build multiple projects on a single code base - I can provide additional information on how and what if needed, just ask @samdark to contact me :)

[joujou]

The alternative is to create custom classes containing the specific logic. Storing PHP code in DB processed with eval is an easy but insecure solution. It's like storing a part of the code application in the DB, so why not store whole functions or even the whole application in the db and process it with eval :)

[githubjeka]

:+1: for joujou

How can we help to make this issue has been resolved soon?

I don't like something in third-party modules always. And they creates more and more.

p.s I would like to make something beautiful, like debug module or gii

[samdark]

@githubjeka I have an idea about using something like http://jsplumb.org/ for it.

[githubjeka]

hmm very intresting at first sight. But it certainly complicates the understanding rbac for some.

[lynicidn]

имхо лучше в классическом ввиде парент и предки, без схем, привязок меньше у модуля

[samdark]

The fact that it's a graph is a key to understanding how it works so I think something like jsplumb is much better than a flat hierarchy.

[githubjeka]

When relationships become much, it would be difficult to understand, perhaps. Probably better to use a simpler interface, as table or something ui known for coders.

[samdark]

But that means that we're limiting RBAC abilities to very oversimplified permissions table. It could handle more.

[githubjeka]

@samdark I liked it. But I think this will be more of a problem in terms of debugging.

[samdark]

As for debugging it would be very cool to see checks trace in that graph i.e. starting with permission we're checking it will show how it tries to get to the role assigned to current user.

[lynicidn]

помоиму найти премиссион проще используя фильтр чем наглядная схема и ч то будет если зависимостей (ролей) будет куча?

[githubjeka]

@lynicidn you right. But this is amazing - http://www.findtheconversation.com/concept-map/ (D3 i like it)

[githubjeka]

I tried to make a demo for js visual concept. Conveniently the first few minutes. This self-indulgence, which is redundant. IMHO while it is most convenient: It's fast, understandable and easily customizable.

[samdark]

Umm... routes? How routes are connected with RBAC?

[githubjeka]

In no way :) I took the third-party modules for rbac and just corrected. I told many yii2 modules of rbac appear in the network and I don't like something in therein. In this issue discusses the concept of GUI interface. I suggested skeleton, which is easy to operate and easily supplement js tricks.

[lynicidn]

++ i also create rules for action as actionUniqueId

[lynicidn]

select2 good plugin for it with multiselect, only dependence of the excess

[githubjeka]

Permissions isn't actionUniqueId... I was plagued by the thought that it's bad practice. How to describe the group of permissions, if you use only actionUniqueId? Sense of use actionUniqueId lost.

@samdark what do you think? All in one page

[samdark]

It's OK for basic hierarchy with two levels of nesting. When it's getting a bit more complex UI won't be able to efficiently visualize current state of the hierarchy.

[githubjeka]

yeah :(

[samdark]

I was talking about drag-and-drop visual IDE style like yEd, Visual Studio or Delphi:

[githubjeka]

Ok I started

Zooming, draggable ready ^_^

https://rbac-githubjeka.c9.io/index.html

[samdark]

Note that it's a graph, not tree. A single permission could be assigned to multiple roles or permissions.

[samdark]

I think that connections should be managed separately from nodes.

[githubjeka]

You right.

[githubjeka]

@samdark please see again https://rbac-githubjeka.c9.io/index.html

[samdark]

@githubjeka while D3 is cool, I'm not sure about editing. jsPlumb looks much more useful in this manner:

• http://jsplumb.org/demo/chart/dom.html
• http://jsplumb.org/demo/draggableConnectors/dom.html

[githubjeka]

I don't know jsPlumb and it request vanila or jquery... And yet I feel closer d3js (has more stars :star: nyanyanya).

I'll try to make the interface to edit the links and add new nodes if you still not finally decided to use jsPlumb

Good night. Thank.

[samdark]

Nope, I haven't decided anything. Just voiced my thoughts about possible UI.

[githubjeka]

Qiangxue makes a decision?

[samdark]

Currently noone does since we aren't sure about UI. Prototypes are certainly welcome.

[githubjeka]

Just what to do? Or wait until closer version 2.1.x

[samdark]

Experiment with UI. I'm certain that it can be good enough but not sure how exactly it should function.

[githubjeka]

Well, then I will continue. :snail:

[githubjeka]

:tada: https://rbac-githubjeka.c9.io/index.html

[samdark]

Great job! It already feels like very simple thing that you actually can work with :)

Can you adjust it so it visualizes as hierarchical group instead of organically? See PhpStorm diagrams for reference:

I think it would look much more organized.