Answer the question
In order to leave comments, you need to log in
RBAC in yii, How to organize rights management for a specific model?
Good afternoon!
In most cases, simply managing roles and permissions to access a controller action is enough.
And here there was a task to establish the rights to specific records of entities. For example, let's take the post entity (simplify to id, name). It is required to set 3 permissions for a certain role:
1. create - create a post
2. update - edit a post
3. delete - delete a post
If for 1. Create we create permission - module.controller.create and assign it to the role, then for update and delete you need to set specific posts that the role will allow you to edit or delete.
For myself, I determined a couple of options for solving the problem, who faced a similar task, please share the idea of \u200b\u200byour implementation or comment on my options.
1) Create your own permission (update, delete) for each post, for example module.posts.update.3, module.posts.update.121, module.posts.delete.92 . The pluses include the ease of creating permissions, assigning them to a role, and further checking by the user for permission. By cons: a huge number of permissions for each entry, although this may be normal and is not a minus, but for some reason I want to see a small number of entries in the table of roles and permissions.
2) Create two permissions module.posts.update and module.posts.delete, assign them to a role when setting permissions, and store an array of roles with available post ids in the Data field of the permission.
Type data: [firstRole: [1, 4, 191 ] ]
Well, add a rule to the permission, which will be checked. On the plus side, there is no porn in the authitem table from the number of permissions and their names. To the minuses, the feeling of "butter oil" in logic, we add permission to the role, and we also prescribe an array of allowed data for the same role in Data. Plus, for each new role, you either have to immediately add permission, or when setting permission for a post, check that the date is in the field, and if there is no role there, then add a new entry there.
3) Create an entity that will contain information about roles, permissions, and available entries, but it seems to me that this is superfluous and the issue is solved more competently by using the existing rbac logic.
Thanks in advance
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question