yiicontrollerrbacaccess-rules

yii RBAC and yii controllers access rules


I'm trying to customize RBAC, so I've made several roles for users.

Now I'm trying to understand how to tell to controller which action should be accessed by which role.

In Controllers code I see this

public function accessRules()
{
    return array(
        array('allow',  // allow all users to perform 'index' and 'view' actions
            'actions'=>array('index','view'),
            'users'=>array('*'),
        ),
        array('allow', // allow authenticated user to perform 'create' and 'update' actions
            'actions'=>array('create','update'),
            'users'=>array('@'),
        ),
        array('allow', // allow admin user to perform 'admin' and 'delete' actions
            'actions'=>array('admin','delete'),
            'users'=>array('admin'),
        ),
        array('deny',  // deny all users
            'users'=>array('*'),
        ),

Now I thought that 'users' meant to be user roles of RBAC, but I guess I'm totally wrong. So on one hand I have this accessRules, and on the other Hand I have several roles of RBAC. How can I tell controller to use my roles ?

Update for Jonny

Sounds interesting.... I've made test action

public function actionNew()
    {
        echo 'TEST'; die;

then I've made rule accessible for all , just for test

public function accessRules()
{
    return array(
        array('allow',  // allow all users to perform 'index' and 'view' actions
            'actions'=>array('index','view'),
            'users'=>array('*'),
        ),
        array('allow', // allow authenticated user to perform 'create' and 'update' actions
            'actions'=>array('create','update'),
            'users'=>array('@'),
        ),
        array('allow', // allow admin user to perform 'admin' and 'delete' actions
            'actions'=>array('admin','delete'),
            'users'=>array('admin'),
        ),
        array('deny',  // deny all users
            'users'=>array('*'),
        ),


        array('allow',
            'actions'=>array('new'),
            'users'=>array('*'),
        ),
    );
}

But it's not working :( Any ideas why?

I'm getting

Error 403
You are not authorized to perform this action.

UPDATE 2

Ok test action works with * users.

Now I'm trying to connect it with my roles and I'm stuck there :(

array('allow',
        'actions'=>array('new'),
        'roles'=>array('role1'),
    ),

Is not working :(

on the page with button which calls this action I have rol checking code

if(Yii::app()->user->checkAccess('role1')){
    echo "hello, I'm role1";
}

Last Update for Jonny Thanks for the help, I've finally did it. I don't know why, but problem was that I must put all these new actions before deny array.

Like this

public function accessRules()
    {
        return array(
            array('allow',  // allow all users to perform 'index' and 'view' actions
                'actions'=>array('index','view'),
                'users'=>array('*'),
            ),
            array('allow', // allow authenticated user to perform 'create' and 'update' actions
                'actions'=>array('create','update'),
                'users'=>array('@'),
            ),
            array('allow', // allow admin user to perform 'admin' and 'delete' actions
                'actions'=>array('admin','delete'),
                'users'=>array('admin'),
            ),
            array('allow',
                'actions'=>array('new'),
                'roles'=>array('role1'),
            ),
            array('deny',  // deny all users
                'users'=>array('*'),
            ),



        );
    }

And in this case it works. Earlier my new action was located in code after 'deny' error, you can check the code fragments in upper updates. It's strange to me but now it works fine :)


Solution

  • One way is to call something like this in your controller:

    if(Yii::app()->user->checkAccess('my_user_role')){ // Do something }
    

    ? anonymous users

    @ logged-in users

    * any user logged-in or not

    admin is the username also, not a type of user in this case

    In your case you can do this:

    array('allow',
    'actions'=>array('create','update'),
    'users'=>array('@'),
    'roles'=>array('myRole')
    ),
    

    users specifies what type of user from the list mentioned above. The roles key then allows you to assign your specific role to that group of users