Menus

Saturday 1 August 2015

Role-Based Access Control (RBAC)



Role-Based Access Control (RBAC) provides a simple yet powerful centralized access control.

Using RBAC involves two parts of work. The first part is to build up the RBAC authorization data, and the second part is to use the authorization data to perform access check in places where it is needed.

Basic Concepts

A role represents a collection of permissions (e.g. creating posts, updating posts). A role may be assigned to one or multiple users. To check if a user has a specified permission, we may check if the user is assigned with a role that contains that permission.

Associated with each role or permission, there may be a rule. A rule represents a piece of code that will be executed during access check to determine if the corresponding role or permission applies to the current user. For example, the “update post” permission may have a rule that checks if the current user is the post creator. During access checking, if the user is NOT the post creator, he/she will be considered not having the “update post” permission.


Yii2 Lesson RBAC Part I
Yii2 Lesson RBAC Part II


 Implementing a role based access control is a very easy process and you can even load your roles from the database if you want.

 Creating necessary tables in the database

 

drop table if exists `auth_assignment`;
drop table if exists `auth_item_child`;
drop table if exists `auth_item`;
drop table if exists `auth_rule`;

create table `auth_rule`
(
`name` varchar(64) not null,
`data` text,
`created_at` integer,
`updated_at` integer,
    primary key (`name`)
) engine InnoDB;

create table `auth_item`
(
`name` varchar(64) not null,
`type` integer not null,
`description` text,
`rule_name` varchar(64),
`data` text,
`created_at` integer,
`updated_at` integer,
primary key (`name`),
foreign key (`rule_name`) references `auth_rule` (`name`) on delete set null on update cascade,
key `type` (`type`)
) engine InnoDB;

create table `auth_item_child`
(
`parent` varchar(64) not null,
`child` varchar(64) not null,
primary key (`parent`, `child`),
foreign key (`parent`) references `auth_item` (`name`) on delete cascade on update cascade,
foreign key (`child`) references `auth_item` (`name`) on delete cascade on update cascade
) engine InnoDB;

create table `auth_assignment`
(
`item_name` varchar(64) not null,
`user_id` varchar(64) not null,
`created_at` integer,
primary key (`item_name`, `user_id`),
foreign key (`item_name`) references `auth_item` (`name`) on delete cascade on update cascade
) engine InnoDB;






Setting up the config file

 
This is done by adding the following lines to the components section of your config file





'authManager' => [


                           'class' => 'yii\rbac\DbManager',


                           'defaultRoles' => ['guest'],


          ],









Building authorization data is all about the following tasks:



 • defining roles and permissions;

 • establishing relations among roles and permissions;

 • defining rules;

 • associating rules with roles and permissions;



 • assigning roles to users.


























Posted by



at





No comments:
  










































Security














1. Authentication





                           Authentication is the act of verifying who a user is, and is the basis of the lo-

gin process. Typically, authentication uses the combination of an identifier–a

username or email address–and a password. The user submits these values

through a form, and the application then compares the submitted informa-

tion against that previously stored (e.g., upon registration).













2. Authorization











                         Authorization is the process of verifying that a user has enough permission



to do something. 







Yii provides two authorization methods: 







               Access Control Filter (ACF) and 



               Role-Based Access Control (RBAC).


















Posted by



at





No comments:
  










































Yii2 global filter/behavior to force user to authenticate first


















you can add global behavior to your config:



add the following code below 'components' => [...]







(Example  to add path - backend\config\main.php)





Globally set redirect to login for guest users in every controller












 'as beforeRequest' => [
    'class' => 'yii\filters\AccessControl',
    'rules' => [
        [
            'actions' => ['login', 'error'],
            'allow' => true,
        ],
        [

            'allow' => true,
            'roles' => ['@'],
        ],
    ],
],











Redirect to login for guest users in every controller






   if(Yii::app()->user->isGuest){
     //not logged user
    }else{
     //loggedin user
    }









Examples




public function beforeAction()
{
       if (Yii::app()->user->isGuest)
            $this->redirect(Yii::app()->createUrl('user/login'));

       //something code right here if user valided
}








        {
                
       if (Yii::app()->user->isGuest)
        $this->redirect(Yii::app()->createUrl('site/login'));
        else
        $this->render('index');
        }









Yii2 concept-configurations












Posted by



at





2 comments:
  


































        

      









Subscribe to:
Posts (Atom)