Merged RBAC draft into authorization

78af586c · Alexander Makarov · cf73f40d · 78af586c · 78af586c · cf73f40d
Commit 78af586c authored Nov 25, 2013 by Alexander Makarov
Hide whitespace changes
Inline Side-by-side

Showing with 114 additions and 126 deletions

authorization.md docs/guide/authorization.md +114 -3

index.md docs/guide/index.md +0 -1

rbac.md docs/guide/rbac.md +0 -122

No files found.
--- a/docs/guide/authorization.md
+++ b/docs/guide/authorization.md
@@ -77,15 +77,126 @@ Role based access control is very flexible approach to controlling access that i
 where permissions are customizable.

 In order to start using it some extra steps are required. First of all we need to configure `authManager` application
-component:
+component in application config file (`web.php` or `main.php` depending on template you've used):

 ```php
+'authManager' => [
+    'class' => 'app\components\PhpManager',
+    'defaultRoles' => ['guest'],
+],
+```
+
+Often use role is stored in the same database table as other user data. In this case we may defined it by creating our
+own component (`app/components/PhpManager.php`):
+
+```php
+<?php
+namespace app\components;
+
+use Yii;

+class PhpManager extends \yii\rbac\PhpManager
+{
+    public function init()
+    {
+        parent::init();
+        if (!Yii::$app->user->isGuest) {
+            // we suppose that user's role is stored in identity
+            $this->assign(Yii::$app->user->identity->id, Yii::$app->user->identity->role);
+        }
+    }
+}
 ```

-Then create permissions hierarchy.
+Then create permissions hierarchy in `@app/data/rbac.php`:
+
+```php
+<?php
+use yii\rbac\Item;
+
+return [
+    // HERE ARE YOUR MANAGEMENT TASKS
+    'manageThing0' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
+    'manageThing1' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
+    'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
+    'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
+
+    // AND THE ROLES
+    'guest' => [
+        'type' => Item::TYPE_ROLE,
+        'description' => 'Guest',
+        'bizRule' => NULL,
+        'data' => NULL
+    ],
+
+    'user' => [
+        'type' => Item::TYPE_ROLE,
+        'description' => 'User',
+        'children' => [
+            'guest',
+            'manageThing0', // User can edit thing0
+        ],
+        'bizRule' => 'return !Yii::$app->user->isGuest;',
+        'data' => NULL
+    ],
+
+    'moderator' => [
+        'type' => Item::TYPE_ROLE,
+        'description' => 'Moderator',
+        'children' => [
+            'user',         // Can manage all that user can
+            'manageThing1', // and also thing1
+        ],
+        'bizRule' => NULL,
+        'data' => NULL
+    ],
+
+    'admin' => [
+        'type' => Item::TYPE_ROLE,
+        'description' => 'Admin',
+        'children' => [
+            'moderator',    // can do all the stuff that moderator can
+            'manageThing2', // and also manage thing2
+        ],
+        'bizRule' => NULL,
+        'data' => NULL
+    ],
+
+    'godmode' => [
+        'type' => Item::TYPE_ROLE,
+        'description' => 'Super admin',
+        'children' => [
+            'admin',        // can do all that admin can
+            'manageThing3', // and also thing3
+        ],
+        'bizRule' => NULL,
+        'data' => NULL
+    ],
+
+];
+```
+
+Now you can specify roles from RBAC in controller's access control configuration:
+
+```php
+public function behaviors()
+{
+    return [
+        'access' => [
+            'class' => 'yii\web\AccessControl',
+            'except' => ['something'],
+            'rules' => [
+                [
+                    'allow' => true,
+                    'roles' => ['manageThing1'],
+                ],
+            ],
+        ],
+    ];
+}
+```

-Specify roles from RBAC in controller's access control configuration or call [[User::checkAccess()]] where appropriate.
+Another way is to call [[User::checkAccess()]] where appropriate.

 ### How it works


--- a/docs/guide/index.md
+++ b/docs/guide/index.md
@@ -56,7 +56,6 @@ Security and access control
 - [Authorization](authorization.md) - Access control and RBAC
 - [Security](security.md) - Hashing and verifying passwords, encryption
 - [Views security](view.md#security) - how to prevent XSS
- [RBAC](rbac.md) - Role-based Access Control

 Data providers, lists and grids
 ===============================

--- a/docs/guide/rbac.md
+++ b/docs/guide/rbac.md
-Using RBAC
-===========
-
-Lacking proper documentation, this guide is a stub copied from a [topic on the forum](http://www.yiiframework.com/forum/index.php/topic/49104-does-anyone-have-a-working-example-of-rbac/page__view__findpost__p__229098).
-
-
-First af all, you modify your config (web.php or main.php), 
-```php
-'authManager' => [
-    'class' => 'app\components\PhpManager', // THIS IS YOUR AUTH MANAGER
-    'defaultRoles' => ['guest'],
-],
-```
-
-Next, create the manager itself (app/components/PhpManager.php)
-```php
-<?php
-namespace app\components;
-
-use Yii;
-
-class PhpManager extends \yii\rbac\PhpManager
-{
-    public function init()
-    {
-        if ($this->authFile === NULL)
-            $this->authFile = Yii::getAlias('@app/data/rbac') . '.php'; // HERE GOES YOUR RBAC TREE FILE
-
-        parent::init();
-
-        if (!Yii::$app->user->isGuest) {
-            $this->assign(Yii::$app->user->identity->id, Yii::$app->user->identity->role); // we suppose that user's role is stored in identity
-        }
-    }
-}
-```
-
-Now, the rules tree (@app/data/rbac.php):
-```php
-<?php
-use yii\rbac\Item;
-
-return [
-    // HERE ARE YOUR MANAGEMENT TASKS
-    'manageThing0' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
-    'manageThing1' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
-    'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
-    'manageThing2' => ['type' => Item::TYPE_OPERATION, 'description' => '...', 'bizRule' => NULL, 'data' => NULL],
-
-    // AND THE ROLES
-    'guest' => [
-        'type' => Item::TYPE_ROLE,
-        'description' => 'Guest',
-        'bizRule' => NULL,
-        'data' => NULL
-    ],
-
-    'user' => [
-        'type' => Item::TYPE_ROLE,
-        'description' => 'User',
-        'children' => [
-            'guest',
-            'manageThing0', // User can edit thing0
-        ],
-        'bizRule' => 'return !Yii::$app->user->isGuest;',
-        'data' => NULL
-    ],
-
-    'moderator' => [
-        'type' => Item::TYPE_ROLE,
-        'description' => 'Moderator',
-        'children' => [
-            'user',         // Can manage all that user can
-            'manageThing1', // and also thing1
-        ],
-        'bizRule' => NULL,
-        'data' => NULL
-    ],
-
-    'admin' => [
-        'type' => Item::TYPE_ROLE,
-        'description' => 'Admin',
-        'children' => [
-            'moderator',    // can do all the stuff that moderator can
-            'manageThing2', // and also manage thing2
-        ],
-        'bizRule' => NULL,
-        'data' => NULL
-    ],
-
-    'godmode' => [
-        'type' => Item::TYPE_ROLE,
-        'description' => 'Super admin',
-        'children' => [
-            'admin',        // can do all that admin can
-            'manageThing3', // and also thing3
-        ],
-        'bizRule' => NULL,
-        'data' => NULL
-    ],
-
-];
-```
-
-As a result, you can now add access control filters to controllers
-```php
-public function behaviors()
-{
-    return [
-        'access' => [
-            'class' => 'yii\web\AccessControl',
-            'except' => ['something'],            
-            'rules' => [
-                [
-                    'allow' => true,
-                    'roles' => ['manageThing1'],
-                ],
-            ],
-        ],
-    ];
-}
-```