In my Yii application, I want my authorization hierarchy and business rules to be written in code and I want my users, roles and permissions to be stored in the database. This separates my business logic (which should be code) from the information it should use (which should be data). It appears that Yii does not support this.
In Yii you have the option of either putting your business logic into files (CPhpAuthManager) or into the database (CdbAuthManager). Either way, you are treating your business logic as data; Yii will actually retrieve your business logic as strings and then run it via an eval
, which seems like a terrible way to do this.
What is the reason for this?
How can I achieve the outcome I want?
A fundamental step in securing a database system is validating the identity of the user who is accessing the database (authentication) and controlling what operations they can perform (authorization). A strong authentication and authorization strategy helps protect the users and their data from attackers.
Authorization is a process by which a server determines if the client has permission to use a resource or access a file. Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access.
Authorization is the process where the database manager gets information about the authenticated user. Part of that information is determining which database operations the user can perform and which data objects a user can access.
An authorization rule specifies the policy that applies to an object and that is based on various conditions, such as context and environment. Each authorization rule has a unique name and can be applied to multiple objects in a domain.
You can put as many logic as you want into your PHP code for your business logic. Yii supports many ways of adding this logic, eg. LoginForm.php, UserIdentity.php, SiteController.php, ... you are not limited here.
What Yii also supports is adding a snippet of logic to your RBAC. A common use case is, that you assign the two rules 'Authenticated' and 'Guest' to all users of your site by default, but with bizRules. While 'Authenticated' has a bizRule like
return !Yii::app()->user->isGuest;
'Guest' has
return Yii::app()->user->isGuest;
The outcome is, that your logged in users are not longer 'Guests' but 'Authenticated'. Another example would be edit views for user profiles, which are only editable by current user, like
return $model->id === Yii::app()->user->id;
Why would you put anything in a database vs code?
One good reason is so that non-developers can edit it.
In our app, we allow users to manage their permissions on their own users and items.
You don't have to use yii's rbac business rules. You could allow say a few different roles and tasks, and have the rest of the auth logic in code.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With