Simple RBAC

You are viewing revision #1 of this wiki article.
This version may not be up to date with the latest version.
You may want to view the differences to the latest version.

next (#2) »

If you are the one who needs simple Role based access control without the long RBAC process then this article is for you. Lets jump to the point.

On you user table make a column names 'roles'

When you add users under roles you can assign them 'Admin' / 'user' / 'staff' etc etc.

On you User Identity.php file write something like..

class UserIdentity extends CUserIdentity
{
    private $id;
    public function authenticate()
    {
        $record=User::model()->findByAttributes(array('email'=>$this->username));
        if($record===null)
            $this->errorCode=self::ERROR_USERNAME_INVALID;
        else if($record->password!==md5($this->password))
            $this->errorCode=self::ERROR_PASSWORD_INVALID;
        else
        {
            $this->id=$record->id;
            $this->setState('roles', $record->roles);            
            $this->errorCode=self::ERROR_NONE;
        }
        return !$this->errorCode;
    }
 
    public function getId(){
        return $this->id;
    }
}

The important line is $this->setState('roles', $record->roles);

You are just adding user roles to their session.

Now, make a Utils.php file under protected/components directory and implement a simple Role check function based on how many roles you have.

<?php 

class Utils{
	public function isAdmin(){
		if(Yii::app()->user->isGuest)
			return false;
		else if(Yii::app()->user->roles == 'Admin')
			return true;
		else
			return false;
	}
	
	public function isUser(){
		if(Yii::app()->user->isGuest)
			return false;
		else if(Yii::app()->user->roles == 'User')
			return true;
		else
			return false;
	}
}

?>

And now, from your controller accessRules() function try something like

public function accessRules()
{	
	return array(
		array('allow',
			'controllers'=>array('admin'),
			'expression'=>'Utils::isAdmin()',
		),
		array('deny',  // deny all users
			'users'=>array('*'),
		),
	);
}

Here I just protect my AdminController.php from unauthorised access. Basically from AdminController.php file accessRules() function it checks the users Roles written in Utils.php file.

You can also use 1 menu for all users based upon roles. for example

<?php $this->widget('zii.widgets.CMenu',array(
			'items'=>array(				
				array('label'=>'Users', 'url'=>array('/manageUser/admin'), 'visible'=>Utils::isAdmin()),
				array('label'=>'Ideas', 'url'=>array('/manageIdea/admin'), 'visible'=>Utils::isAdmin()),
				array('label'=>'Page Editor', 'url'=>array('/admin/pageeditor'), 'visible'=>Utils::isAdmin()),
				array('label'=>'Your Ideas', 'url'=>array('/userarea/ideaList'), 'visible'=>Utils::isUser()),
				array('label'=>'Add new idea', 'url'=>array('/userarea/create'), 'visible'=>Utils::isUser()),
				array('label'=>'Login', 'url'=>array('/site/login'), 'visible'=>Yii::app()->user->isGuest),
				array('label'=>'Logout ('.Yii::app()->user->name.')', 'url'=>array('/site/logout'), 'visible'=>!Yii::app()->user->isGuest)
			),
		)); ?>

I hope this little code will help you

Thanks