CException error with RBAC ACL using authManager in yiic shell tool

Question

I get the below error when running a custom command from the yiic shell. I am using the latest MAMP 2.0.2 on OS X 10.7.2

I am not sure what the error means by reader or member does not exist?

Line 56 is: $role->addChild("reader"); and the full code of the custom command and and terminal output is below:

users-MacBook-Air:protected user$ ./yiic shell ../index.php
Yii Interactive Tool v1.1 (based on Yii v1.1.2)
Please type 'help' for help. Type 'exit' to quit.
>> rbac
This command will create three roles: Owner, Member, and Reader and the following permissions:
create, read, update and delete user
create, read, update and delete project
create, read, update and delete issue
Would you like to continue? [Yes|No]y
exception 'CException' with message 'Either "member" or "reader" does not exist.' in /Users/user/Dropbox/localhost/yii/framework/web/auth/CDbAuthManager.php:203
Stack trace:
#0 /Users/user/Dropbox/localhost/yii/framework/web/auth/CAuthItem.php(185): CDbAuthManager->addItemChild('member', 'reader')
#1 /Users/user/Dropbox/localhost/trackstar/protected/commands/shell/RbacCommand.php(56): CAuthItem->addChild('reader')
#2 /Users/user/Dropbox/localhost/yii/framework/cli/commands/ShellCommand.php(144): RbacCommand->run(Array)
#3 /Users/user/Dropbox/localhost/yii/framework/cli/commands/ShellCommand.php(99): ShellCommand->runShell()
#4 /Users/user/Dropbox/localhost/yii/framework/console/CConsoleCommandRunner.php(62): ShellCommand->run(Array)
#5 /Users/user/Dropbox/localhost/yii/framework/console/CConsoleApplication.php(88): CConsoleCommandRunner->run(Array)
#6 /Users/user/Dropbox/localhost/yii/framework/base/CApplication.php(135): CConsoleApplication->processRequest()
#7 /Users/user/Dropbox/localhost/yii/framework/yiic.php(33): CApplication->run()
#8 /Users/user/Dropbox/localhost/trackstar/protected/yiic.php(7): require_once('/Users/user/Dro...')
#9 /Users/user/Dropbox/localhost/trackstar/protected/yiic(4): require_once('/Users/user/Dro...')
#10 {main}
>> 

RBAC Command:

<?php

    class RbacCommand extends CConsoleCommand
    {
        private $_authManager;

        public function getHelp()
        {
            return "<<<EOD

            USAGE
                rbac

            DESCRIPTION
                This command generates an initial RBAC authorization hierarchy.

            EOD";
        }

        public function run($args)
        {
            if(($this->_authManager=Yii::app()->authManager)===null)
            {
                echo "Error: an authorization manager, named 'authManager' must be configured to use this command.\n";
                echo "If you already added 'authManager' component in applicaton configuration,\n";
                echo "please quit and re-enter the yiic shell.\n";
                return;
            }

            echo "This command will create three roles: Owner, Member, and Reader and the following permissions:\n";
            echo "create, read, update and delete user\n";
            echo "create, read, update and delete project\n";
            echo "create, read, update and delete issue\n";
            echo "Would you like to continue? [Yes|No]";

            if(!strncasecmp(trim(fgets(STDIN)),'y',1))
            {
                $this->_authManager->clearAll();

                $this->_authManager->createOperation("createUser","create a new user");
                $this->_authManager->createOperation("readUser","read user profile information");
                $this->_authManager->createOperation("updateUser","update a users information");
                $this->_authManager->createOperation("deleteUser","remove a user from a project");

                $this->_authManager->createOperation("createProject","create a new project");
                $this->_authManager->createOperation("readProject","read project information");
                $this->_authManager->createOperation("updateProject","update project information");
                $this->_authManager->createOperation("deleteProject","delete a project");

                $this->_authManager->createOperation("createIssue","create a new issue");
                $this->_authManager->createOperation("readIssue","read issue information");
                $this->_authManager->createOperation("updateIssue","update issue information");
                $this->_authManager->createOperation("deleteIssue","delete a issue");

                $role=$this->_authManager->createRole("member");
                $role->addChild("reader");
                $role->addChild("createIssue");
                $role->addChild("updateIssue");
                $role->addChild("deleteIssue");

                $role=$this->_authManager->createRole("owner");
                $role->addChild("reader");
                $role->addChild("member");
                $role->addChild("createUser");
                $role->addChild("updateUser");
                $role->addChild("deleteUser");
                $role->addChild("createProject");
                $role->addChild("updateProject");
                $role->addChild("deleteProject");
            }
        }
    }

?>

Answer 1

I think you need to create the "reader" operation (or task, or role) before you can add it to the "member" role with addChild(). Something like this:

<?php
// define reader role
$role=$this->_authManager->createRole("reader");
// add some operations
$role->addChild("readIssue");
// NOW create the member role
$role=$this->_authManager->createRole("member");
// and now that reader is defined, we can add it to member
$role->addChild("reader");
?>

I'm sure you have already found this, but there are more details on the Yii Guide page for Role-based ACL.