How to resolve through RBAC the setting of rights depending on the selected "entity"?

H

hostadmin2019-01-04 23:13:59

Yii

hostadmin, 2019-01-04 23:13:59

I can't figure out how to properly use RBAC for this situation (and whether it should be used here at all).
Let me give you an example of work.
The service is divided into two conditional "Cabinets" - for Buyers and for Sellers (Directors and Employees of the company).
There is a "Companies" database, various entities are associated with companies - "Categories", "Products", etc.
Each company has a Director (has access to the interface for Sellers and can manage the entire company - edit products, categories, etc.), an employee (has access to the interface for Sellers and can only do what has been authorized by the Director). Only Buyers who have been granted access by a Director or Employee may have access to Company data.
At the same time, the same user can be in different companies in different roles (one as a Director, another as an Employee, for a third as a Buyer), and even in the same Company, a user can have the roles of Director/Employee and Buyer at the same time.

It turns out that the main decision about what roles a user has is made at the Company level. The user selects a Company from the list of those to which he has access and, depending on the selected company, he receives certain rights.
All users are stored in a common users table and are linked to companies through the users2company intermediate table.
How it is better to organize the rights at such scheme?
PS. The system is built on Yii2, but I think that the principle of RBAC in Yii2 and Laravel is quite similar.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Ivan Shumov, 2019-01-04
@inoise

it's called bizRule) i.e. a custom handler bound to Permission

J

jazzus, 2019-01-05
@jazzus

I don't know how much my experience will help. I'm just learning myself) but I did this:
3 tables
Roles
role_perms perms We
connect
roles and perms through manytomany.
We write the rules in AuthServiceProvider. Type

Gate::define('CREATE_PRODUCT', function($user){
          return $user->canDo(3);
        });

For each permission or automate.
In the User model, we make a check

public function canDo($perm_id) {
      foreach ($this->roles as $role) {
        foreach ($role->perms as $perm) {
          if ($perm_id==$perm->id) {
            return true; }}}}

Now connecting the Gate to the controller can be done before executing the method.

if (Gate::denies('CREATE_PRODUCT ')) {
               abort(404);
             }

And in the template

@can ('CREATE_PRODUCT’)
Код создания продукта
@endcan

All. You can also limit it in routes (via middelvar, it's simple). What else is there? Assigning roles in controllers is easy. Type

If($user->isDirector() and $company->type(‘it’))
{
$user->roles()->attach($id);
}

Attach makes an entry in the intermediate table
Type - a method for companies that searches for an array of types
isDirector - a method for a user of type
public function isDirector()
{
if role == director return true;
return false;
}
Or get the role through the name

public function getRole($name)
    {
        return $this->roles()->where('name', $name);
    }

But it's better (for me) to create a date with roles in the User model (constant type) and search by id, not by name (I did this)
As for the different roles for each company. You can link company roles and users and get rights with a record like
$user->company($id)->roles();