Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the reason for having authorization rules in the database?

Tags:

php

roles

yii

rbac

In my Yii application, I want my authorization hierarchy and business rules to be written in code and I want my users, roles and permissions to be stored in the database. This separates my business logic (which should be code) from the information it should use (which should be data). It appears that Yii does not support this.

In Yii you have the option of either putting your business logic into files (CPhpAuthManager) or into the database (CdbAuthManager). Either way, you are treating your business logic as data; Yii will actually retrieve your business logic as strings and then run it via an eval, which seems like a terrible way to do this.

What is the reason for this?

How can I achieve the outcome I want?

like image 896
Kieran Andrews Avatar asked Mar 07 '12 07:03

Kieran Andrews


People also ask

Why is database authorization needed?

A fundamental step in securing a database system is validating the identity of the user who is accessing the database (authentication) and controlling what operations they can perform (authorization). A strong authentication and authorization strategy helps protect the users and their data from attackers.

What is the purpose of authorization?

Authorization is a process by which a server determines if the client has permission to use a resource or access a file. Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access.

What is Authorisation in database?

Authorization is the process where the database manager gets information about the authenticated user. Part of that information is determining which database operations the user can perform and which data objects a user can access.

What is authorization rules?

An authorization rule specifies the policy that applies to an object and that is based on various conditions, such as context and environment. Each authorization rule has a unique name and can be applied to multiple objects in a domain.


2 Answers

You can put as many logic as you want into your PHP code for your business logic. Yii supports many ways of adding this logic, eg. LoginForm.php, UserIdentity.php, SiteController.php, ... you are not limited here.

What Yii also supports is adding a snippet of logic to your RBAC. A common use case is, that you assign the two rules 'Authenticated' and 'Guest' to all users of your site by default, but with bizRules. While 'Authenticated' has a bizRule like

return !Yii::app()->user->isGuest;

'Guest' has

return Yii::app()->user->isGuest;

The outcome is, that your logged in users are not longer 'Guests' but 'Authenticated'. Another example would be edit views for user profiles, which are only editable by current user, like

return $model->id === Yii::app()->user->id;
like image 180
schmunk Avatar answered Oct 07 '22 07:10

schmunk


Why would you put anything in a database vs code?

One good reason is so that non-developers can edit it.

In our app, we allow users to manage their permissions on their own users and items.

You don't have to use yii's rbac business rules. You could allow say a few different roles and tasks, and have the rest of the auth logic in code.

like image 24
Neil McGuigan Avatar answered Oct 07 '22 09:10

Neil McGuigan