Implement RBAC management module #42
Comments
|
Don't store bizrule inside Db evaluated with eval(). |
|
@joujou any alternatives? |
|
It would be great to have a graphical interface to create roles and capabilities like on gii. |
|
I agree with rclai about the interface. Rights management is involved in almost every webapp so the it'd be great if the framework could give an easy and powerful to manage that. It would be sad to have no other way but using an extension to perform such a sensitive task. |
|
This issue IS about the RBAC management GUI interface. The RBAC core is covered by #24. It would be great if you could help summarize the needed features for this module. I expect the underlying RBAC core won't have big change in design. |
|
A role creator for sure. Given that this is an extended user attribute or property of some sort, how will this connect to the user management that people will develop? Oh, then I suppose the GUI should be able to detect the controllers (and perhaps the module controllers) that are available and link the roles to the controllers? |
|
IMHO, this is how it should work. A Management application that allows an admin to create a role and then do the following to it:
You could include or choose not to include that rights function in your controllers. You could even define some kind of encryption code as a system configuration that obfuscated those rights in the db for extra protection. I would not be in favor of storing PHP in the tables either, but this approach would give you the same functionality without it. A Developer could extend the Rights Management code to customize behavior. |
There is NO alternatives. So store. |
|
About web interface - I like implementation of access rules in Invision Power Board - rows with modules and columns with crud actions. |
|
Of course there are alternatives ! I think you haven't search a lot creocoder. |
|
@joujou There can be unique bizrules for every user / auth item assotiation. So if not store in db, such files size can reach 1, 10, 100 Mb. Seems you just do not solve complex RBAC tasks. So bizrules should be stored in db as main variant and yes, storing in files like alt variant. |
|
If the RBAC module is to be used by someone who is not 100% reliable, you should not let him directly store expressions in DB. Instead, you should create GUI so that he can select some pre-defined expressions. Internally, I don't see alternative either. |
|
I think bizRules should be splitted into callbacks and data. So instead of storing code to be executed, you store classname, (static) method name and the data that should be passed to that method. This way you know at design time which code will be executed and don't have to rely on your users to provide valid code that you blindly trust. I think this should cover almost all use cases. If there really is someone who wants to give his users the possibility to run their own code, he can still use a callback that simply eval's its param. |
|
I probably have a weird view for the GUI, but I really like the idea behind the SRBAC module (we use it in all our projects). To the contrary of my case, most of the people seemed to use Yii-Rights module for that, and although it has nice UI, it's usability is way off for any serious project with lots of auth items and numerous roles. |
|
The alternative is to create custom classes containing the specific logic. Storing PHP code in DB processed with eval is an easy but insecure solution. It's like storing a part of the code application in the DB, so why not store whole functions or even the whole application in the db and process it with eval :) |
|
👍 for joujou How can we help to make this issue has been resolved soon? I don't like something in third-party modules always. And they creates more and more. p.s I would like to make something beautiful, like debug module or gii |
|
@githubjeka I have an idea about using something like http://jsplumb.org/ for it. |
|
hmm very intresting at first sight. But it certainly complicates the understanding rbac for some. |
|
имхо лучше в классическом ввиде парент и предки, без схем, привязок меньше у модуля |
|
The fact that it's a graph is a key to understanding how it works so I think something like jsplumb is much better than a flat hierarchy. |
|
When relationships become much, it would be difficult to understand, perhaps. |
|
Nice progress @githubjeka
|
|
I use table for assign role to user only. This module for others. But no time for update interface... |
|
I have a PR open #6872 so far it has passed all the unit testing, I don't know whats needed for merging |
|
how install this module for template advanced yii2? |
|
and please how executo o run this module? the route. I have prettyURL then controller/action. |
|
When I double-click to delete/modify a node I cannot get out of the delete-mode anymore. Nothing worked. |
|
Hmm.. The moment of CRUD implemented via form isn't perfect. I don't like it myself. But so far I haven't heard how best to do it. |
|
No man, how can I leave the delete-mode without deleting anything? |
|
Push white |
|
Great! |
|
Guys this is nice but it looks over complicated. |
|
than what? |
|
@nkostadinov any concrete suggestions? |
|
The RBAC system is very flexible but in real life, no one will want to arrange these graphs while setting permissions. My current RBAC implementation has only one group per user and this group holds the permissions(like "yes"/"no") - simple as that. There is no inheritance, no complex graphs ... It's working on a very large scale at one of the biggest telco's in Bulgaria and is doing it's job perfectly. I'm currently working on something like this for yii2 but it's not ready yet. The idea is to have a basic user extension, and to add "plugins" implementing different functions. I just like to keep it simple :) Anyway I'm not saying nothing bad about this, just discussing here. |
|
Complexity of RBAC permissions graph depends very much on the nature of the project. If it is about community and is something like StackOverflow where you're getting more permissions and moving towards the top of the hierarchy depending on your actions, the graph could be quite complex. The RBAC management extension discussed here is able to visualize it nicely so one could get a good overview and fix some bugs. Of course, if you know that simpler hierarchy is OK for the project and you're quite sure that it's not gonna change, UI could and should be simplified. |
|
I have one idea - auto create a migration for every action CRUD |
|
Yep, that could work. <?php
use yii\db\Schema;
use yii\db\Migration;
class m150910_204507_init_blog_rbac extends Migration
{
public function up()
{
$auth = Yii::$app->authManager;
$manageBlog = $auth->createPermission('manageBlog');
$manageBlog->description = 'Manage blog';
$auth->add($manageBlog);
$admin = $auth->createRole('admin');
$admin->description = 'Administrator';
$auth->add($admin);
$auth->addChild($admin, $manageBlog);
}
public function down()
{
Yii::$app->authManager->removeAll();
}
} |
|
Won't be implemented in the core since it's to flexible to have a universal UI. |
|
how to assign roles to users |
and others
No description provided.
The text was updated successfully, but these errors were encountered: