Suggest make \yii\rbac\ActiveDbManager

[creocoder]

Which will work with models representing db tables. Why we need this. For example we have grid:

id | name | role
--------------------------------
1 | qiang | repo collab
2 | samdark | repo collab
3 | creocoder | coder
4 | cebe | repo collab

Now we want to sort users by role. Models for db auth manager tables will be ineresting to make relations from User model to it and get rbac data.

[creocoder]

It also will allow to not make 1 query to get user role. Its will be queried all records with role in 1 query. Currently to create that grid we need 1 query + N queries to get role where N = users count.

[creocoder]

@qiangxue There may be even more radical idea. To change DbManager approach from work with Query to work with ActiveQuery.

[creocoder]

@qiangxue It also allow user to inherit from models that we will represent in core and extend it. For example:

class DbManager
{
    public $assignmentModel = 'app\models\MyAuthAssignment'
    public $authItemModel = 'app\models\MyAuthItem'
}

By default it can be yii\rbac\models\AuthAssignment and yii\rbac\models\AuthItem.

[cebe]

Suggestions looks interesting as we are already dealing with an object representation of the DB in RBAC. It is common usage to have ActiveRecord for that tables too to work with it in admin backend. I think it would be a good idea to use AR for it.

[creocoder]

@cebe Its also allows to make relations from user to rbac models. If we do this our possibilities in rbac will grow a lot. We can define any new addition fields for example and many more.

[caleblloyd]

I agree. I am not a big fan of the default functionality in DbManager of storing AuthItem hierarchy as an Adjacency List, I prefer to use Nested Sets to minimize SQL calls. This could allow for easy implementation by using an AuthItemModel that has the NestedSetBehavior attached.

I would also like to see functionality in AuthManger that supports finding all Users that have a single AuthItem or array of AuthItems.

[callmez]

+1

[RomeroMsk]

:+1:

[Faryshta]

I worked on a way to use ActiveRecords on the rbac module.

https://github.com/Faryshta/yii2/compare/yiisoft:master...Faryshta:activeRecordRBAC

So far I have created the models and I am rewritting the DbManager class

[Faryshta]

I am checking the ManagetInterface. The docs mention the Item, Rule, Assignment, Role and Permission objects. But doesn't mention on which namespace they belong (at least not explicitly) and the php code doesn't actually use dependency injection so I think we can rewrite the DbManager to completely ignore the yii\rbac\Item|Rule|Assignment|Role|Permission objects and use the models I created instead completely cutting out an step to build the DbManager

https://github.com/yiisoft/yii2/blob/master/framework/rbac/ManagerInterface.php

Cases like this one won't be affected by skipping this objects https://github.com/yiisoft/yii2/blob/master/docs/guide/security-authorization.md#building-authorization-data

So I propose to avoid using those objects on the DbManager

[sashaaro]

What about separate interfaces, like https://github.com/yiisoft/yii2/issues/8424

[samdark]

Re-considered it. It's a bad idea since it would result in using RBAC AR directly which should be avoided. Instead we may extend interface to be OK for various control panels.