Implement RBAC #24

Closed
qiangxue opened this Issue Mar 25, 2013 · 19 comments

Comments

7 participants
Owner

qiangxue commented Mar 25, 2013

No description provided.

qiangxue was assigned Mar 25, 2013

joujou commented Apr 16, 2013

I think that storing PHP code processed with eval should be avoided (CdbAuthManager). That's not good for security. Any code injection could cause serious damages, not only to the app. Eval could run injected code that could harm the whole server. Even php.net warns about evals and recommands not to use it.
I think bizrules should be removed.
If a special logic has to be processed to check access, we should use classe inheritance.
I've found some posts of people saying they use Zend_Acl in Yii because of that problem, that's a pity.

Something nice would be to store a relation between the user table, the authitem table and any other table of the app corresponding to a model.
So it would be possible to store that a given user has a given authItem on a given record of the third table.

Owner

cebe commented Apr 25, 2013

bizrules may be anonymous php functions stored in a config file like it is done with CPhpAuthManager.

Owner

samdark commented Apr 26, 2013

@cebe what if backend isn't a PHP file?

joujou commented Apr 26, 2013

The idea could be to put the code of the bizrule in the method of a class.
CheckAccess() would not call executeBizrule() anymore.
checkAccess() could have a parameter which could be the name of a class specific to the app that contains the logic of the bizrule. Then checkAccess would instanciate that class if given, and call a method of that class with $data as a parameter. That method will return a boolean.

onman commented May 1, 2013

Could adding behaviors to the AuthManager service be an option? The bizrule on an item should then contain the name of a bizrule. This bizrule name should be a method of the AuthManager service (a method of the AuthManager class or a method of a behavior added to the AuthManager service).
Such a method could be of the form bizMyRule. The item would then contain the bizrule 'myRule'.
This way it is also possible to supply commonly used bizrules, like 'my own ...' or 'newest ...'.

Owner

cebe commented May 1, 2013

@samdark you can store anonymous functions in a file and refer to them from db backend by name which may be the array key.

Contributor

creocoder commented May 7, 2013

@qiangxue You working on this already or not yet?

Owner

qiangxue commented May 7, 2013

Nope. Only issues labelled as "under development" are being worked on.

Contributor

creocoder commented May 9, 2013

@qiangxue I'm starting working on this. ETA: up to week, maybe less.

Owner

qiangxue commented May 9, 2013

Cool. Would be great if you could check whether there are other enhancement requests in our forum and take this chance to improve RBAC.

Contributor

creocoder commented May 9, 2013

@qiangxue I'll implement base version at start, than check forum for possible improvements.

Owner

samdark commented May 9, 2013

Contributor

creocoder commented May 9, 2013

Done for preview.

Contributor

creocoder commented May 10, 2013

@qiangxue Where we should put needed *.sql files? Under yii/rbac directory ?

Owner

qiangxue commented May 10, 2013

yii/rbac is fine.

qiangxue closed this May 21, 2013

Contributor

schmunk42 commented Jul 3, 2013

Where we should put needed *.sql files? Under yii/rbac directory ?

The database should be created via migrations in the end. A simple execute($sql) would be fine. But where should we store this migration?

Owner

cebe commented Jul 3, 2013

Do we want to force people to use migrations?
If not it would be fine if we provide SQL file and everyone who wants to use migrations can apply the sql file inside of a migration.

Contributor

creocoder commented Jul 3, 2013

@cebe I'm sure NOT.

Contributor

schmunk42 commented Jul 3, 2013

If not it would be fine if we provide SQL file and everyone who wants to use migrations can apply the sql file inside of a migration.

May I create a PR with a migration, which executes the SQL files according to the used DB-connection?
Placed in the same directory, this directory could be registered as a migration "module" (speaking in EMigrateCommand terms) for the advanced-app in the end.

@samdark samdark pushed a commit that referenced this issue Sep 26, 2014

@qiansen1386 qiansen1386 Merge pull request #24 from funson86/patch-1
Update start-installation.md
688e61a

@cuileon cuileon pushed a commit to yiichina/yii2 that referenced this issue Mar 2, 2016

@shi-yang shi-yang Merge pull request #24 from hobartwang/patch-2
修正语句连贯性,增加可读性
b7980bc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment