0

I am building up a dynamic RBAC system for Yii and I don't know how to handle this problem:

The moderators can change the roles of the Users, furthermore the User can change it too by getting a different qualification (let's say achievement, so s/he can do more stuff and it can happen both ways).

What happens, when the role is changed Backwards (a role with less right) or Forwards (a role with more right) when s/he is logged in? Cannot access the functions he just got the right to use? Or can still access the functions until a logout/relog action?

Thanks your help in advance.

notsoogood
  • 13
  • 2

1 Answers1

1

The effect of changing the authorization assignment will be inmediate.

Only the successive calls to IWebUser::checkAccess() issued in the same request may return cached values, since the default implementation of IWebUser, i.e. CWebUser, uses a static attribute to cache the calculated permissions.

To clarify the procedure, you will be calling IAuthManager::revoke() on the old permissions and IAuthManager::assign() on the new ones.

Edit

Sometimes you store session information through the IWebUser::setState() method; if the state of the currently logged user shall change along with the permissions, e.g. you store the current user's role name, you must take this into account and either call IWebUser::clearState() or IWebUser::logout() followed by IWebUser::login() –the latter also clears the cached permissions in the CWebUser implementation.

CWebUser::_access is declared private, so you will have to declare a new attribute if you want to override the default implementation.

clapas
  • 1,768
  • 3
  • 16
  • 29