yii2 icon indicating copy to clipboard operation
yii2 copied to clipboard

Published 20 hours ago verified publisher icon yiisoft

RBAC: Separate storage into assignments and permissions/roles

Open machour opened this issue 4 years ago • 3 comments

Motivation (see https://github.com/yiisoft/rbac/issues/49)

In yii/yii2 it always bothered me that the 3 entities assigment, role and permission are all stored in the same backend: it's either all PHP or all DB.

But in my experience it would be much more convenient to split these up and even make it a bit more flexible:

  • Roles and permissions to me are semi-static. They only change if you write a new controller or action or modify other parts of your app. So they are strongly coupled to your app code. That's why I prefer >to also hardcode them in PHP e.g. in an array structure in a file or in a class (instead of calling $manager->addPermission() which feels unnessecary tedious)

  • Assigments are dynamic data. They are different for each instance of the app, depend on the user base and can frequently change. There's usually an admin UI to manage them. They are perfect to be stored in DB just like the user table.

Implementation can be backported from here: https://github.com/yiisoft/rbac/pull/70

Adding this feature request as under discussion since I'm not sure if we still can add new features to Yii2.

This have been bothering me for a while too, and I'd love to see it land in next Yii2 release.

machour avatar Oct 03 '21 15:10 machour

I would love to see that implemented. If it won't require some big refactoring we could put it under enhancement label. Otherwise I think @samdark says no :)

bizley avatar Oct 03 '21 17:10 bizley

It may go as enhancement. See how it's implemented in https://github.com/yiisoft/rbac/pull/70. Should not require too much changes.

samdark avatar Oct 03 '21 17:10 samdark

Powerful for roles definition is using class. That allow add additional functionality:

  • role name translation
  • additional control to rights assign role
  • grouping

Real example:

<?php

namespace d3modules\lietvediba\accessRights;

use CompanyRights\components\UserRoleInterface;
use Yii;
use yii2d3\d3persons\accessRights\D3personsUserFullUserRole;

class LietvedibaContractFullUserRole implements UserRoleInterface
{

    public const NAME = 'LietvedibaContractFull';
    public const GROUP_NAME = 'Contracts';

    /**
     * @inheritdoc
     */
    public function getType(): string
    {
        return self::TYPE_COMPANY;
    }

    public function getGroupLabel(): string
    {
        return Yii::t('d3lietvediba', 'Contracts');
    }

    /**
     * @inheritdoc
     */
    public function getLabel(): string
    {
        return Yii::t('d3lietvediba', 'Full');

    }

    /**
     * @inheritdoc
     */
    public function getName(): string
    {
        return self::NAME;
    }

    /**
     * @inheritdoc
     */
    public function getAssigments(): array
    {
        return [];
    }

    private function can(): bool
    {
        return Yii::$app->user->can(D3personsUserFullUserRole::NAME);
    }

    /**
     * @inheritdoc
     */
    public function canAssign(): bool
    {
        return $this->can();
    }

    /**
     * @inheritdoc
     */
    public function canView(): bool
    {
        return $this->can();
    }

    /**
     * @inheritdoc
     */
    public function canRevoke(): bool
    {
        return $this->can();
    }
}

uldisn avatar Oct 03 '21 17:10 uldisn