Why doesn't it work or how to use a rule to allow RBAC?

V

Viktor Yanyshev2018-02-23 21:03:36

Yii

Viktor Yanyshev, 2018-02-23 21:03:36

There is a rule to check if the user can edit, delete, etc. Now it turns out that the moderator's entry can be edited by a regular user who does not have commentUpdate|Delete, but only commenOwnUpdate|Delete. Using:

if(Yii::$app->user->can('commentUpdate', ['user_id' => Yii::$app->user->id])) {
 // Пользователь true
 // Модератор true
 // любой другой false
}

Now in the controller:

public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                    [
                        'allow' => true,
                        'actions' => ['update', 'delete'],
                        'roles' => ['commentUpdate', 'commentDelete'],
                        'roleParams' => ['user_id' => Yii::$app->user->id]
                    ]

                ]
            ],
        ];
    }

But a normal user can still execute methods.
UPD
'roleParams' => ['user_id' => $model->user_id] not 'roleParams' => ['user_id' => Yii::$app->user->id]

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Dmitry, 2018-02-23
@slo_nik

Good evening.
And you're not confusing anything, are you?
AccessControl is one thing, RBAC is another.
Maybe it would be more correct in the controller, in action to check (for example)

public function actionUpdate()
{
     if (\Yii::$app->user->can('createPost')) {
         // update post
    }
}