Yii2 RBAC Rule implementation

9
votes

I've seen a lot of Yii 2 RBAC tutorials but I can't really appreciate how to implement the rules. In the Yii 2 guide they introduced how rules are made but not really how can it be implemented in the controller's behavior or somewhere else. I really need some enlightenment regarding this said matter.

What I have now is a document uploading system where I have two roles namely admin & encoder. Basically, admin role can do all while the encoder role can only create, view-own, update-own and delete-own. I already created a Rule named encodedBy.

This is my code in my EncoderRule

namespace app\rbac; use yii\rbac\Rule;

/**  * Checks if encoded_by matches user passed via params  */ class EncoderRule extends Rule {
    public $name = 'encodedBy';

    /**
     * @param string|integer $user the user ID.
     * @param Item $item the role or permission that this rule is associated with
     * @param array $params parameters passed to ManagerInterface::checkAccess().
     * @return boolean a value indicating whether the rule permits the role or permission it is associated with.
     */
    public function execute($user, $item, $params)
    {
        return isset($params['document']) ? $params['document']->encoded_by == $user : false;
    } }

I store the data in the 'document' table, where I have a field named 'encoded_by'.

4
phpyii2rulesrbac
This video does a really good job of explaining RBAC for anyone who is unsure about how it works: youtube.com/watch?v=vLb8YATO-HUTheStoryCoder

4 Answers

2
votes

If I understand you clearly, you want to use Yii2 RBAC Rule to implement some permissions on the system users (Admin and encoder). Well, this is quite straight forward to some extent

Yii2 has existing tables for this purpose. These tables are i. auth_assignment ii. auth_item iii. auth_item_child iv. auth_rule

First thing you need to do is to choose which authManager you want to use either the PhpManager or DBManager but i would advise you use DBManager reason being that, it is what i use

If you are using the Yii2 Basic template, add the following lines of code under components in web.php

'authManager' => [
                'class' => 'yii\rbac\DbManager',
                'defaultRoles' => ['guest'],
 ],

If Yii2 Advanced template, add the lines of code below under components in main.php inside the \common\config folder

Having done the said above steps,

  • Run yii migrate --migrationPath=@yii/rbac/migrations from the command line

The above code will generate/create the four tables that was earlier listed automatically inside the database for you

To create your RBAC Rules.

This requires you creating permissions and roles.

For basic template,

  • Create a file and name it RbacController.php inside commands folder

See http://pastebin.com/RAKpZX2J to see how it looks like

For Advanced template, - Create same file but instead it will be inside console\controllers\RbacController.php

Having done all these,

  • Run yii rbac/init //This willl run the actionInit() inside the RbacController file

if you successfully created all said above, the you can do something like this to know if a user has permission

if(Yii::$app->user->can('createUser')){

}

I hope this helps..

1
votes

I'm struggling also with this. All I could figure out until now, that $params['post'] is absolutely not working for me. I have no clue where-what should I define in order to make it work. But what I could figure out based on the post of Joel Small, that if I'm doing simply so (I want to simply deny access to an update form in case of some circumstances regarding the state of model):

app\rbac\ZnwRule.php:

namespace app\rbac;

use yii\rbac\Rule;
use app\models\Znw;

class ZnwRule extends Rule {

    public function execute($user, $item, $params) {
        $znw = Znw::findOne(\Yii::$app->request->get('id'));
        return $znw->created_by || $znw->zwz_id == 0 || !$znw->created_at ? false : true;
    }
}

and then in ZnwController:

public function actionUpdatezd($id) {
    if (\Yii::$app->user->can('updatezd')) {
    ...
    } else {
        throw new \yii\web\ForbiddenHttpException('Sorry, you are not allowed to do that.');
    }

I have defined in yii2-admin that I have a rule:

name: ZnwRule

class: app\rbac\ZnwRule

and I have created a permission called updatezd:

name: updatezd

rule: ZnwRule

I have started my app with a main Controller where I'm checking if the route is allowed in yii2-admin or not for a certain role, and all other controllers extend this one. Now that I had to deal with permissions and rules, I had to add the route also to the permission. I'm sure it can be easier accomplished, but at least it seems to be working so far. It's not much, but I hope it helps to some extents.

0
votes

If you require simple role-check, you can extend the AccessRule class to accommodate new roles without delving into a full blown Role Based Access Control. Check this tutorial for complete details: Simpler Role Based Authorization in Yii 2.0

This is the easiest way I have discovered to understand, implement and maintain roles, however you will trade-off the extensive flexibility provided by full RBAC for simplicity.

Full disclosure: I am the author of the blog post.

0
votes

See the authorization guide. You may have missed assigning the rule in AuthManager, perhaps?

$auth = Yii::$app->authManager;
$rule = new \app\rbac\EncoderRule; // <- add here
$auth->add($rule);

$encodedByAuthor = $auth->createPermission('encodedByAuthor');
$encodedByAuthor->ruleName = $rule->name; // <- assign here
$auth->add($encodedByAuthor);
...