I try to understand how it works - no way
I only can see the routes beginning with /rbac/ .. and some with /gridview/ ... and /dynagrid/ ...
But no route related to my contoller actions
I thought that yii2mod/yii2-rbac worked like RBAC in Yii1 where I had permissions defined and checked in controller.
When - as before - I insert something like this :
INSERT INTO `auth_item` (`name`, `type`, `description`, `rule_name`, `data`) VALUES ('createCompany', 0, 'createCompany', NULL, 'N;');
and assign it to a user Admin it appears as a permission and not as a route in the permission view of Admin (rbac/permission/view/Admin)
The readme file did not help me - so how can I use yii2mod/yii2-rbac ?
The yii2mod/yii2-rbac package what it provides is a web interface, but it is not an alternative to the native implementation of the RBAC in Yii2:
Yii2-RBAC provides a web interface for advanced access control and
includes following features:
Allows CRUD operations for roles, permissions, rules
Allows to assign multiple roles or permissions to the user
Allows to create console migrations
Integrated with yii2mod/base
The base of this package is the RBAC Yii2 that can review part of its implementation here (only as an example).
Making a raw INSERT to the auth_item table does not make much sense as a way to understand how the RBAC works. The auth_item table keeps the records of the permissions and/or roles which are separated by types: 1=Role, 2=permission.
Installed and configured yii2mod/yii2-rbac in your project you could enter the different options to create roles, permissions, routes and assign them to your users as they inidcan them:
http://localhost/path/to/index.php?r=rbac/
http://localhost/path/to/index.php?r=rbac/route
http://localhost/path/to/index.php?r=rbac/permission
http://localhost/path/to/index.php?r=rbac/role
http://localhost/path/to/index.php?r=rbac/assignment
or if you have enabled pretty URLs, you may use the following URL:
http://localhost/path/to/index.php/rbac
http://localhost/path/to/index.php/rbac/route
http://localhost/path/to/index.php/rbac/permission
http://localhost/path/to/index.php/rbac/role
http://localhost/path/to/index.php/rbac/assignment
If you want to understand better how the YB2 RBAC works, you can review it from here.
Related
I created a permission for my system and by this extension others working fine. As example I set permission for Page module then I used below code
if(\Yii::$app->user->can('page_module')){}else{
throw new ForbiddenHttpException("You are not authorized to perform this action.", 403);
}
and it provides me restriction. I used these lines pf code in extension controller, then it restricted but it vulnerable cause if I update extension then code will remove. And i didn't understand how I extend all controller and set permission. If there is another way its unknown to me.
Once you have setup the mdmsoft/yii2-admin extension access is denied to all the routes until you grant it. Rather than hard coding yii::$app->user-can('permission') utilize the RBAC which should be the only reason you installed mdmsoft/yii2-admin.
As Access Setup
Hopefully your using Yii2's advanced template.
Initially, setup the as access in your frontend/config/main.php :
'as access' => [
//This access behavior must be in frontend and backend.
//The 'as access' behavior will interfere with migrations if put in common.
'class' => 'mdm\admin\components\AccessControl',
'allowActions' => [
'site/*', //Allow by default to all.
'debug/*',
//'admin/*', //Leave commented out, unless setting up admin roles initially.
//Allow guests to do:
'ticket/ticket/index',
]
],
Setup RBAC
Go to the admin URL, something like ... app:port/admin
The RBAC hierarchy is like this:
User->Roles->Permissions->Routes
Example
-Joey
--Admin_Role
---- Admin_Permission
-------- app/controller1/*
-------- app/controller2/view
Setup RBAC
First add your routes.
Add your permissions.
Assign routes to your permissions.
Create your roles.
Assign permissions to your roles.
Assign roles to your users.
I have installed two different PHP frameworks Laravel 5.3 and Yii2 advanced. Both frameworks provide authentication out of the box which is great.
And both have the checkbox Remember me on the login page.
In Laravel, I have found that there is a remember_token field on users table which is as per my understanding used for the remember me feature.
But there is no such extra field on Yii2's user table.
So, I guess both provides the same feature but working differently. So I want to know that how that feature is working on both the frameworks?
Any help would be appreciated.
Note: I'm asking this because I have one system built with Yii2 and now I'm going to build a new system with Laravel. New Laravel system will use the same user table of the Yii2. Means the user can login into both the system with the same credentials.
Thanks,
Parth vora
Yii2 have auth_key - its default name, but you can define ur own column name and then declare it in identity class, which implements yii\web\IdentityInterface, in function getAuthKey().
The remember me function in Yii 2 (and most php frameworks) makes use of cookie-based login.
From the docs:
getAuthKey() returns a key used to verify cookie-based login. The key is stored in the login cookie and will be later compared with the server-side version to make sure the login cookie is valid.
Yii uses the auth_key field by default. That's probably the same field as Laravel's remember_token.
How it works is as follows:
Login with the remember me field checked.
Yii sets a cookie containing the user's (serialized) id, auth_key and duration (amount of seconds representing the duration of validity for this cookie). In yii2, the cookie name is specified by the identityCookie array in the config (user component).
All guests' requests are checked for the existance of the cookie, if it exists and is valid, the user is logged in.
That's basicly how cookie based logins work, so I'm assuming that Laravel uses a similar, if not exact same implementation.
Following scenario:
I have a multi tenant web application in Yii2' advanced template.
This application has three portals:
- backend
- dashboard
- frontend
Each portal has its own user table for authentication.
(-frontend_user,
-dashboard_user,
-backend_user)
Frontend and dashboard can reached with the tenant's name at the end, e.g.:
When a user tries to login to dashboard or frontend I have to check if they have a right to login.
This happen via contingency table (e.g.: dashboard_user_tenant)
Now I want to build a rbac for the dashboard application.
But roles should not hang at the dashboard user but at dashboard_user_tenant (the contingency table),
because rights can change in each tenant's dashboard.
Yii2 has its own rbac system, but as I understand so far, it doesn't fit on my needs.
Any chances to customize Yii2's rbac or is it better to build my own custom solution? Maybe my own component?
I hope my description is clear enough :)
I had a similar desire in one of my projects, but I didn't create my own full RBAC system, instead I overwrote a way of checking for the roles
In my User component class, I extend the \yii\web\User, and also overwrite the can() function of that class. That lets me use my own way of checking for the appropriate permissions. For example
<?php
namespace app\modules\users\models;
use Yii;
use yii\web\User as WebUser;
use app\modules\users\models\UserPermissionManager;
class User extends WebUser
{
public function can( $operation, $params = [], $allowCaching = true )
{
if(Yii::$app->user->isGuest)
{
return false;
}
return ( new UserPermissionManager() )->has( $operation );
}
}
In the UserPermissionManager class, it queries a database table that is full of permissions such as "users:access", "users:edit", etc
They all have a certain user level assigned to them which relates to the user level I have set in my Users database table.
All the can() function needs to do is return true or false, depending on if this user has the permission to do what it's being asked. You can handle this however you like really.
It's quite a big system to explain fully in one post but I hope it's helped slightly, feel free to let me know if I can explain anything any better!
My company has their own database and it contains user and group tables.I am creating a workflow manager using Activiti API also i am using Activiti-REST. I need to fetch user data and group data from my company database instead of using ACT_ID _USER and ACT_ID_GROUP. I searched through internet and post in their forum but i didnt get any sensible answers.
In the forum they suggest to use LDAP but i dont have touch LDAP.
I went through activiti source.can i just modify its iBATIS mapping files related to ACT_ID _USER.Will it work. Or their any better approach. Also activiti-rest api must work according to our own tables.
Please can some one show some good references regarding to this.
you have to implement the interface org.activiti.engine.impl.interceptor.SessionFactory and return the type of org.activiti.engine.impl.interceptor.Session appropiate (org.activiti.engine.impl.persistence.entity.UserIdentityManager.class or org.activiti.engine.impl.persistence.entity.GroupIdentityManager.class), then you have to create your own User/Group Manager (usually extending the org.activiti.engine.impl.persistence.entity.UserEntityManager or org.activiti.engine.impl.persistence.entity.GroupEntityManager).
Finally you have to register your Custom Session Factories on your processEngineConfiguration, for more info (a little outdated because in 5.13 the session types changed) is available on this blog post
I'm currently working on a platform which is planned to coordinate the communication with customers in future. Users can be added to projects and have certain rights. Therefore users are assigned to different user roles (admin/manager/member/viewer). Admins can view all projects and are allowed to add other users to a project. If a user (e.g. role:member) is added to a project, he will have certain rights (depending on the role), if not, he is not allowed to access the project at all.
I'm using Cake's ACL Component and everything is working great, when i disregard if a user is added to a project or not. The only solution I can think of, is not to grant rights on the group-level, but on the user-level when an admin adds an user to the project.
Is there an easier way to solve this issue? Otherwise I'm afraid that the code would become totally confusing.
There is a another way (I don't really know if easier, depends on your point of view). The ACL component only helps you to create roles, but you need a role and project-access management, right?
What I do in this cases:
Create a Project_Permission table in your database (give it a better name, I'm lacking imagination). Depending on your project, create the associations: a user can be related to many projects and a project can have many users accesing it. If you are following the cake conventions (and your tables are named users and projects) and it doesn't interfere with what you already have, the table should be
PROJECTS_USERS
id
project_id
user_id
created and modified //if you want to
Create appropriate actions where the admin (or other type if users, that's up to you)
can add users to projects and save that many-to-many association in
the previously created table.
Since the authorization for the project does not come from the ACL component, you have to create an "authorization" function yourself. I recommend putting this in the beforeFilter() function of the AppController (if you don't have an AppController, you'll have to do it in every controller you want this to work). In this function, check if the logged user is in the existing table and has an association with the project. Something like:
function beforeFilter() {
//let's assume you have the project id somewhere, in a global variable like $this->_projectID
$user = $this->Session->read('Auth.User.id');
$project = $this->Project->find('first', array('conditions'=>array('id'=>$this->_projectID, 'User.id'=>$user)
if (count($project) > 0) {
//the user has permission to see the project
} else {
//he doesn't
}
}
It's difficult to give an actual code because I'm not sure of your model associations nor where do you want the code or if you have the variables needed for this available everywhere, but I hope you get the idea. After that it's just a matter of how you want to handle the restriction of access (normally a flash message and redirection is involved).
I hope this is clear enough :S