0

I have installed yii2mod/yii2-rbac from this url - https://github.com/yii2mod/yii2-rbac in yii2-basic.

everything is working fine except using/allowing owner data.

from this link:https://www.yiiframework.com/doc/guide/2.0/en/security-authorization I have created a folder in root rbac and file AuthorRule.php and code:

namespace app\rbac;

use yii\rbac\Rule;

//use app\models\Post;

/**
 * Checks if authorID matches user passed via params
 */
class AuthorRule extends Rule
{
    /**
     * @var string
     */
    public $name = 'isAuthor';

    /**
     * @param string|int $user the user ID.
     * @param Item $item the role or permission that this rule is associated with
     * @param array $params parameters passed to ManagerInterface::checkAccess().
     * @return bool a value indicating whether the rule permits the role or permission it is associated with.
     */
    public function execute($user, $item, $params)
    {
        return isset($params['post']) ? $params['post']->createdBy == $user : false;
    }
}

but when I try to add the rule in permission(either AuthorRule or isAuthor under permission I created updateOwnRecord, I am getting the error, the rule doesn't exist.

What I am missing here?

Muhammad Omer Aslam
  • 22,976
  • 9
  • 42
  • 68
Joshi
  • 2,730
  • 5
  • 36
  • 62
  • have you modified your configs, like it were said? after you installed yii2-rbac, have you run migrations? – Serghei Leonenco Sep 04 '19 at 03:58
  • have you created that schema and added rules and roles ? – Muhammad Omer Aslam Sep 04 '19 at 05:47
  • Hi Omer - yes I have created the schema, roles and it is working fine except as I said I am not able to make it work for view/update own records. I think after adding rbac folder in site root, I need to add somewhere in config to include the rbac folder like we do for components and modules. – Joshi Sep 04 '19 at 07:26
  • Hi Omer - I have also tried like - created a folder `myweb` in vendors and added `rbac/AuthorRule.php` with the same contents. but still when I tried to add `AuthorRule` in permission, it is not picking it. – Joshi Sep 04 '19 at 10:53
  • are you trying to control that a user should be able to delete its own records only? you might have to create a **`Rule`** class that extends `yii\rbac\Rule`, see this [article](https://www.yiiframework.com/doc/guide/2.0/en/security-authorization#using-rules) that might help you out, go one and follow the instructions and i you get stuck update with the new info in your question – Muhammad Omer Aslam Sep 04 '19 at 18:33
  • Hi Omer - I have pasted exactly that rule you are referring to in my question. only thing I am missing is, where and how I extend it. I mean where I should place that rule? I tried placing that by creating a folder in vendor `myweb` and in that folder `rbac` and file `AuthorRule.php`. but looks like it is not the correct way to do it. – Joshi Sep 04 '19 at 18:57
  • earlier I tried the same by creating folder `rbac` in site root. – Joshi Sep 04 '19 at 18:58
  • OOPS! i totaly overlooked it where is the code for adding the rule ? – Muhammad Omer Aslam Sep 04 '19 at 19:47
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/198967/discussion-between-joshi-and-muhammad-omer-aslam). – Joshi Sep 04 '19 at 19:50
  • were you able to solve the problem or still stucked up somewhere – Muhammad Omer Aslam Sep 20 '19 at 11:19
  • can you mark the answer as correct if it worked for you – Muhammad Omer Aslam Sep 30 '19 at 06:42
  • Hi Omer. - It did helped, but what worked for me is completely different than your answer. just stuck-up in some work, I will post the answer with step by step. – Joshi Sep 30 '19 at 20:02

1 Answers1

2

but when I try to add the rule in permission(either AuthorRule or isAuthor under permission I created updateOwnRecord, I am getting the error, the rule doesn't exist

Not sure where you are getting the error you mentioned as there is no relevant code, but looking at your details i recon you havent understood the process correctly.

  • Create a permission updatePost in the auth_item .
  • Add AuthorRule class's serialized instance to auth_rule table.
  • Create a new permission updateOwnPostand specify the rule name i.e isAuthor.
  • Add the permission updatePost as a child to UpdateOwnPost in the auth_item_child table.
    • the isAuthor will be the name of the rule that you will supply to the updateOwnPost permission's rule_name column.
  • Add the updatePost as a child of the role you want to use the rule for, like user or anyother you have created for the standard user role.

See the below code you can run it once via any temporary action for now, we will discuss it's place later in the answer below.

$auth = Yii::$app->authManager;
$updatePost = $auth->getPermission('updatePost');

//change it to whichever role you want to assign it like `user` `admin` or any other role
$role = $auth->getRole('user');

// add the rule
$rule = new \app\rbac\AuthorRule;
$auth->add($rule);

// add the "updateOwnPost" permission and associate the rule with it.
$updateOwnPost = $auth->createPermission('updateOwnPost');
$updateOwnPost->description = 'Update own post';
$updateOwnPost->ruleName = $rule->name;
$auth->add($updateOwnPost);

// "updateOwnPost" will be used from "updatePost"
$auth->addChild($updateOwnPost, $updatePost);

// allow "author" to update their own posts
$auth->addChild($role, $updateOwnPost);

Now if all goes well and you can add a rule by running the code above

Remember You need to check the updatePost rule in the check Yii::$app->user->can() and not updateOwnPost and pass the Post model instance along as the second parameter

Like this

if (\Yii::$app->user->can('updatePost', ['post' => $post])) {
    // update post
}

About The code Placement in the current application

If you want to have a separate interface where you can add create all with a form then you can follow dektrium-rbac code available already where it provides complete crud that you can use according to your own requirements.

For the reference see below

Note: if you have a lot of controllers and you want to associate this rule with every update action inside the controllers (Given that all the associated models have the created_by field) then you might go for the console\Controller and run such processes via console, so that every new controller/update can be associated with the rule repeating the above process inside a loop. For the console controller usage in basic-app see here

Community
  • 1
  • 1
Muhammad Omer Aslam
  • 22,976
  • 9
  • 42
  • 68