6

Following scenario:

I have a multi tenant web application in Yii2' advanced template.

This application has three portals:
- backend
- dashboard
- frontend

Each portal has its own user table for authentication.
(-frontend_user,
-dashboard_user,
-backend_user)

Frontend and dashboard can reached with the tenant's name at the end, e.g.:

When a user tries to login to dashboard or frontend I have to check if they have a right to login. This happen via contingency table (e.g.: dashboard_user_tenant)

Now I want to build a rbac for the dashboard application.

But roles should not hang at the dashboard user but at dashboard_user_tenant (the contingency table), because rights can change in each tenant's dashboard.

Yii2 has its own rbac system, but as I understand so far, it doesn't fit on my needs.

Any chances to customize Yii2's rbac or is it better to build my own custom solution? Maybe my own component?

I hope my description is clear enough :)

Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
Sarah West
  • 2,047
  • 2
  • 20
  • 37

1 Answers1

3

I had a similar desire in one of my projects, but I didn't create my own full RBAC system, instead I overwrote a way of checking for the roles

In my User component class, I extend the \yii\web\User, and also overwrite the can() function of that class. That lets me use my own way of checking for the appropriate permissions. For example

<?php

namespace app\modules\users\models;

use Yii;
use yii\web\User as WebUser;

use app\modules\users\models\UserPermissionManager;

class User extends WebUser
{
    public function can( $operation, $params = [], $allowCaching = true ) 
    {
        if(Yii::$app->user->isGuest)
        {
            return false;
        }

        return ( new UserPermissionManager() )->has( $operation );
    } 
}

In the UserPermissionManager class, it queries a database table that is full of permissions such as "users:access", "users:edit", etc

They all have a certain user level assigned to them which relates to the user level I have set in my Users database table.

All the can() function needs to do is return true or false, depending on if this user has the permission to do what it's being asked. You can handle this however you like really.

It's quite a big system to explain fully in one post but I hope it's helped slightly, feel free to let me know if I can explain anything any better!

Lynch
  • 900
  • 4
  • 11
  • Thanks for your answer! I think I have to go a similar way. It's a good idea to overwrite the 'can'-function. – Sarah West Oct 15 '15 at 14:18
  • No worries, I find it really useful because it lets you determine whether users can access pages using whatever method you want! Feel free to let me know if you need anything else! – Lynch Oct 15 '15 at 14:44