I'm trying to customize RBAC, so I've made several roles for users.
Now I'm trying to understand how to tell to controller which action should be accessed by which role.
In Controllers code I see this
public function accessRules()
{
return array(
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view'),
'users'=>array('*'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create','update'),
'users'=>array('@'),
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete'),
'users'=>array('admin'),
),
array('deny', // deny all users
'users'=>array('*'),
),
Now I thought that 'users' meant to be user roles of RBAC, but I guess I'm totally wrong. So on one hand I have this accessRules, and on the other Hand I have several roles of RBAC. How can I tell controller to use my roles ?
Update for Jonny
Sounds interesting.... I've made test action
public function actionNew()
{
echo 'TEST'; die;
then I've made rule accessible for all , just for test
public function accessRules()
{
return array(
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view'),
'users'=>array('*'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create','update'),
'users'=>array('@'),
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete'),
'users'=>array('admin'),
),
array('deny', // deny all users
'users'=>array('*'),
),
array('allow',
'actions'=>array('new'),
'users'=>array('*'),
),
);
}
But it's not working :( Any ideas why?
I'm getting
Error 403
You are not authorized to perform this action.
UPDATE 2
Ok test action works with * users.
Now I'm trying to connect it with my roles and I'm stuck there :(
array('allow',
'actions'=>array('new'),
'roles'=>array('role1'),
),
Is not working :(
on the page with button which calls this action I have rol checking code
if(Yii::app()->user->checkAccess('role1')){
echo "hello, I'm role1";
}
Last Update for Jonny Thanks for the help, I've finally did it. I don't know why, but problem was that I must put all these new actions before deny array.
Like this
public function accessRules()
{
return array(
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view'),
'users'=>array('*'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create','update'),
'users'=>array('@'),
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete'),
'users'=>array('admin'),
),
array('allow',
'actions'=>array('new'),
'roles'=>array('role1'),
),
array('deny', // deny all users
'users'=>array('*'),
),
);
}
And in this case it works. Earlier my new action was located in code after 'deny' error, you can check the code fragments in upper updates. It's strange to me but now it works fine :)
One way is to call something like this in your controller:
if(Yii::app()->user->checkAccess('my_user_role')){ // Do something }
?
anonymous users
@
logged-in users
*
any user logged-in or not
admin
is the username also, not a type of user in this case
In your case you can do this:
array('allow',
'actions'=>array('create','update'),
'users'=>array('@'),
'roles'=>array('myRole')
),
users
specifies what type of user from the list mentioned above. The roles
key then allows you to assign your specific role to that group of users