I am trying to implement RBAC in my project by following the tutorial* on the Yii website. However I am confused when trying to implement the permissions by group.
For this example I have added a group field into the user table and have defined two groups, user (2) and admin (1).
I then created a console command which looks like this:
class RbacController extends Controller
{
public function actionInit()
{
$auth = \Yii::$app->authManager;
$rule = new \appbac\UserGroupRule;
$auth->add($rule);
$search = $auth->createPermission('search');
$search->description = 'Search';
$search->ruleName = $rule->name;
$auth->add($search);
$user = $auth->createRole('user');
$user->ruleName = $rule->name;
$auth->add($user);
$admin = $auth->createRole('admin');
$admin->ruleName = $rule->name;
$auth->add($admin);
$auth->addChild($admin, $user);
}
}
And I have this file: rbac/UserGroupRule.php
class UserGroupRule extends Rule
{
public $name = 'userGroup';
public function execute($user, $item, $params)
{
// return true; // force return to true for test
if(!Yii::$app->user->isGuest) {
$group = Yii::$app->user->identity->group;
if($item->name === 'search') {
return $group == 1;
}
return false;
}
}
I'm trying to test the permission with if(\Yii::$app->user->can('search')).
Firstly, I wonder why the console command is required here as I can't see where it's being used.
The $item parameter in the execute method has the value of search, but the tutorial shows that it expects this value to be role type.
Regardless of what I return in the execute method, it seems to return false.
Can anyone answer these questions?
I guess you have an authManager with DbManager ?
'authManager' => [
'class' => 'yiibac\DbManager',
],
to init the rbac from the console just use yii rbac/init in a console (in correct project dir) then the database entries were done (before that the rbac tables should be empty)
if you haven't done yet create the tables with
yii migrate --migrationPath=@yii/rbac/migrations
$item is just the auth permission or role entry. The rule is called for every entry, if you have added a rule. In your case for permission "search" and roles "user" and "admin" the rules is executed.
your have added entries with rule checking. So if you e.g. check if the user can "search" by e.g.
if (\Yii::$app->user->can('search')) {
// can search
}
then the rule is checked or executed (which is your UserGroupRule). And in your case it would return true for admins and false for user given by the group field.
edit: I hope you have added this to your components in your config file.
return [
// ...
'components' => [
'authManager' => [
'class' => 'yiibac\DbManager',
],
// ...
],
];
You have created 2 roles in your rbac (user/admin) and as far as i understand your are using a group column in the User table to allocate those roles to the user. And in your code you will need to have to check the permissions or roles. So from the DB the correct Entry is selected and if a Rule is attached this rule is then executed. And this checks the current user group and returns true or false. So in your case no assignments to those roles or permissions are done. It uses the Rule to return true or false depending on the user group. But here are other extensions search for yii2admin or yii2rbac, where you can also assign user to roles/permissions etc by database entries.
I would say you should get more help where you can "chat" e.g. the yii chat which is linked on the yii homepage.