What is the prefered way of managing the authorization in YII?

StackOverflow https://stackoverflow.com/questions/17675094

  •  03-06-2022
  •  | 
  •  

Domanda

Now, I am new to YII and I have been working on authentication and authorization. I have successfully manged to do the authentication part and now I am following the YII RBAC. Here I am confused a little. As per the documentation I can use 

if( Yii::app()->user->checkAccess('createIssue'))

To check whether the user has the permission for the createIssue action. As per my understanding I can add this in preFilter() for the action to check for the access before the action is executed.

My question is, If I am using the RBAC approach, should I still have the access rules defined in the accessRules() frunction for the controller or should just allow the all the users and check for access in the preFilter for the Individual action. I am confused as to what is the prefered way. Please guide me, thanks

È stato utile?

Soluzione

RBAC is the bigger brother of accessRules(), in the family of Yii authorization methods. It is more robust, powerful and usually employed in more complex use cases, but this depends on your requirements and tendencies.

When you use RBAC, you do not need to (and be better off without) check permissions using Yii's accessRules() which is using a predefined Yii filter. Be sure not to miss that defining the method accessRules(), you also need to tell Yii to use filter 'accessControl' on the action methods. So in short - don't use both. Lose both the filters directive (or the entire methods, if you have no other filters defined) and the 'accessRules()' methods.

By default, RBAC will consult regarding the 'auth items' hierarchy and the auth items assigned to users in the DB. You can manage the DB by yourself but I strongly recommend you consider using several ready made extensions for managing (only) the 3 tables of RBAC. For example, RBAM and SRBAC. Both are not bug free , but reduce lots of work, in case you have a more than trivial permission's tree.

Last but not least, be sure to read the relevant page in the guide.

Altri suggerimenti

RBAC Works with CController::accessRules()

As of Yii 1.1.11 you can use RBAC in the accessRules() filter. The docs provide an example, but the gist is that your rule looks like this:

    'roles' =>array('itemName' =>$params),

Where $params is an optional array of parameters, just what you'd pass to user->checkAccess($itemName, $params).

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top