I have installed yii2mod/yii2-rbac from this url - https://github.com/yii2mod/yii2-rbac in yii2-basic.
everything is working fine except using/allowing owner data.
from this link:https://www.yiiframework.com/doc/guide/2.0/en/security-authorization
I have created a folder in root rbac and file AuthorRule.php and code:
namespace app\rbac;
use yii\rbac\Rule;
//use app\models\Post;
/**
* Checks if authorID matches user passed via params
*/
class AuthorRule extends Rule
{
/**
* #var string
*/
public $name = 'isAuthor';
/**
* #param string|int $user the user ID.
* #param Item $item the role or permission that this rule is associated with
* #param array $params parameters passed to ManagerInterface::checkAccess().
* #return bool a value indicating whether the rule permits the role or permission it is associated with.
*/
public function execute($user, $item, $params)
{
return isset($params['post']) ? $params['post']->createdBy == $user : false;
}
}
but when I try to add the rule in permission(either AuthorRule or isAuthor under permission I created updateOwnRecord, I am getting the error, the rule doesn't exist.
What I am missing here?
but when I try to add the rule in permission(either AuthorRule or
isAuthor under permission I created updateOwnRecord, I am getting the
error, the rule doesn't exist
Not sure where you are getting the error you mentioned as there is no relevant code, but looking at your details i recon you havent understood the process correctly.
Create a permission updatePost in the auth_item .
Add AuthorRule class's serialized instance to auth_rule table.
Create a new permission updateOwnPostand specify the rule name i.e isAuthor.
Add the permission updatePost as a child to UpdateOwnPost in the auth_item_child table.
the isAuthor will be the name of the rule that you will supply to the updateOwnPost permission's rule_name column.
Add the updatePost as a child of the role you want to use the rule for, like user or anyother you have created for the standard user role.
See the below code you can run it once via any temporary action for now, we will discuss it's place later in the answer below.
$auth = Yii::$app->authManager;
$updatePost = $auth->getPermission('updatePost');
//change it to whichever role you want to assign it like `user` `admin` or any other role
$role = $auth->getRole('user');
// add the rule
$rule = new \app\rbac\AuthorRule;
$auth->add($rule);
// add the "updateOwnPost" permission and associate the rule with it.
$updateOwnPost = $auth->createPermission('updateOwnPost');
$updateOwnPost->description = 'Update own post';
$updateOwnPost->ruleName = $rule->name;
$auth->add($updateOwnPost);
// "updateOwnPost" will be used from "updatePost"
$auth->addChild($updateOwnPost, $updatePost);
// allow "author" to update their own posts
$auth->addChild($role, $updateOwnPost);
Now if all goes well and you can add a rule by running the code above
Remember You need to check the updatePost rule in the check Yii::$app->user->can() and not updateOwnPost and pass the Post model instance along as the second parameter
Like this
if (\Yii::$app->user->can('updatePost', ['post' => $post])) {
// update post
}
About The code Placement in the current application
If you want to have a separate interface where you can add create all with a form then you can follow dektrium-rbac code available already where it provides complete crud that you can use according to your own requirements.
For the reference see below
Add Rule Form
RuleController::actionCreate
RuleModel::create()
Note: if you have a lot of controllers and you want to associate this rule with every update action inside the controllers (Given that all the associated models have the created_by field) then you might go for the console\Controller and run such processes via console, so that every new controller/update can be associated with the rule repeating the above process inside a loop. For the console controller usage in basic-app see here
Related
I'm now working with rbac yii2.
I defined all roles and permissions in database.
Now the question for me is where should I check access rule?
For example author just can update his own posts.
I saved rule in database too as rule_name = 'isAuthor'.
But I am confused about the check condition to access own posts.
Here is my actionRule:
<?php
public function actionRule(){
$auth = Yii::$app->authManager;
$rule = new \app\rbac\AuthorRule;
$auth->add($rule);
$updateMobile = $auth->createPermission('mobile/update');
// add the "updateOwnMobile" permission and associate the rule with it.
$updateOwnMobile = $auth->createPermission('updateOwnMobile');
$author = $auth->createPermission('author');
$updateOwnMobile->description = 'Update own mobile';
$updateOwnMobile->ruleName = $rule->name;
$auth->add($updateOwnMobile);
// "updateOwnMobile" will be used from "updatePost"
$auth->addChild($updateOwnMobile, $updateMobile);
// allow "author" to update their own posts
$auth->addChild($author, $updateOwnMobile);
}
?>
Where and how can I implement that?
in Controller? behavior?
or other places?
In the case of the upated for author own post the check (can('author') method ) should be placed in controller for two reason at least:
You should check not only if the use has role/permission author but also if the owner of the post is the user
Once check if the user can or not perform the related code you must drive the correct response (render the update form if the user can or a access denied message if not)
These are tipically controller/action operations ..
These are just some first suggestions
Ideally you should have a class (extending from Yii\rbac\Rule) associated with the rule. Then implement the execute function that checks whether the user is the author of the post and he has access to update the post.
Something like this:
class SiteRule extends Rule
{
//you can modify this to suit your needs.
public function execute($user, $item, $params)
{
//get user ie: \dektrium\user\models\User::findIdentity($user)
//check if the $user is the author - using defined author or created-by attribute in $params.
//return true/false
}
}
then in your controller/action you can use the CheckAccess() method (yii\rbac\ManagerInterface) to check if user has access:
if(\yii::$app->user->can('author', ['post'=>\Yii::$app->request->post()(or your model]))
{//logic here}
Hi developers I am new to YII , I have installed the YII2 framework and want a RBAC I have installed mdmsoft/yii2-admin module , but I do not know how to create RULE class, where to create it and then how to use. When I create a role in admin section it say , enter a Class Name. I don't know how to create and use the RULE feature of YII. I have attached the screen shot.
If you are using an Advanced template here are the steps;
Create a directory under frontend and rename it rbac
Create a file under this new directory, say, AuthorRule.php. Here is a sample file given in the official docs;
namespace app\rbac;
use yii\rbac\Rule;
use app\models\Post;
/**
* Checks if authorID matches user passed via params
*/
class AuthorRule extends Rule
{
public $name = 'isAuthor';
/**
* #param string|int $user the user ID.
* #param Item $item the role or permission that this rule is associated with
* #param array $params parameters passed to ManagerInterface::checkAccess().
* #return bool a value indicating whether the rule permits the role or permission it is associated with.
*/
public function execute($user, $item, $params)
{
return isset($params['post']) ? $params['post']->createdBy == $user : false;
}
}
Next step is to navigate to http://localhost/path/to/index.php?r=admin/rule and create a new rule with class name \app\rbac\AuthorRule
Finally you can add the new rule to roles and permissions depending on your needs.
You can read the official docs for more information on rules; the official docs.
I'am using CakePhp3 for my website and I have to inject some custom validation logic based on the current user Id when I'am creating or modifying an entity.
The basic case is "Is the user allow to change this field to this new value" ? If' not, I want to raise a validation error (or an unauthorized exception).
In cakephp, for what I'am understanding, most of the application and businness rules must be placed on Models or 'ModelsTable'of the ORM. But, in this classes, the AuthComponent or the current session is not available.
I don't want to call manually a method on the entity from the controller each time I need to check. I would like to use a validator, something like :
$validator->add('protected_data', 'valid', [
'rule' => 'canChangeProtectedData',
'message' => __('You're not able to change this data !'),
'provider' => 'table',
]);
Method on ModelTable :
public function canChangeProtectedData($value, array $context)
{
\Cake\Log\Log::debug("canChangeProtectedData");
// Find logged user, look at the new value, check if he is authorized to do that, return true/false
return false;
}
I cakephp < 3, the AuthComponent have a static method 'AuthComponent::user()' that is not available anymore. So, how Can I do that in CakePhp 3 ?
Thank you for any response.
EDIT - Adding more details
So here are more details. In case of an REST API. I have an edit function of an entity. The "Article" Entity.
This Article has an owner with a foreign key on the column named "user_id" (nothing special here). My users are organized in groups with a leader on the group. Leaders of groups can change article's owner but "basics" users can't do it (but they can edit their own articles). Admin users can edit everything.
So the edit method must be available for any authenticated user, but changing the "user_id" of the entity must be allowed and checked depending the case (if I'am admin yes, if I'am leader yes only if the new Id is one of my group and if I'am basic user no).
I can do this check on the controller but if I want this rule to be checked everywhere in my code where an Article is modified (in another method than the "Edit" of ArticlesController). So for me the Model seems the good place to put it no?
Authentication vs Authorisation
Authentication means identifying an user by credentials, which most of the time boils down to "Is a user logged in".
Authorisation means to check if an user is allowed to do a specific action
So don't mix these two.
You don't want validation you want application rules
Taken from the book:
Validation vs. Application Rules
The CakePHP ORM is unique in that it uses a two-layered approach to
validation.
The first layer is validation. Validation rules are intended to
operate in a stateless way. They are best leveraged to ensure that the
shape, data types and format of data is correct.
The second layer is application rules. Application rules are best
leveraged to check stateful properties of your entities. For example,
validation rules could ensure that an email address is valid, while an
application rule could ensure that the email address is unique.
What you want to implement is complex application logic and more than just a simple validation, so the best way to implement this is as an application rule.
I'm taking a code snippet from one of my articles that explains a similar case. I had to check for a limitation of languages (translations) that can be associated to a model. You can read the whole article here http://florian-kraemer.net/2016/08/complex-application-rules-in-cakephp3/
<?php
namespace App\Model\Rule;
use Cake\Datasource\EntityInterface;
use Cake\ORM\TableRegistry;
use RuntimeException;
class ProfileLanguageLimitRule {
/**
* Performs the check
*
* #link http://php.net/manual/en/language.oop5.magic.php
* #param \Cake\Datasource\EntityInterface $entity Entity.
* #param array $options Options.
* #return bool
*/
public function __invoke(EntityInterface $entity, array $options) {
if (!isset($entity->profile_constraint->amount_of_languages)) {
if (!isset($entity->profile_constraint_id)) {
throw new RuntimeException('Profile Constraint ID is missing!');
}
$languageLimit = $this->_getConstraintFromDB($entity);
} else {
$languageLimit = $entity->profile_constraint->amount_of_languages;
}
// Unlimited languages are represented by -1
if ($languageLimit === -1) {
return true;
}
// -1 Here because the language_id of the profiles table already counts as one language
// So it's always -1 of the constraint value
$count = count($entity->languages);
return $count <= ($languageLimit - 1);
}
/**
* Gets the limitation from the ProfileConstraints Table object.
*
* #param \Cake\Datasource\EntityInterface $entity Entity.
* #return int
*/
protected function _getConstraintFromDB(EntityInterface $entity) {
$constraintsTable = TableRegistry::get('ProfileConstraints');
$constraint = $constraintsTable->find()
->where([
'id' => $entity['profile_constraint_id']
])
->select([
'amount_of_languages'
])
->firstOrFail();
return $constraint->amount_of_languages;
}
}
I think it is pretty self-explaining. Make sure your entities user_id field is not accessible for the "public". Before saving the data, just after the patching add it:
$entity->set('user_id', $this->Auth->user('id'));
If you alter the above snippet and change the profile_constraint_id to user_id or whatever else you have there this should do the job for you.
What you really want is row / field level based authorisation
Guess you can use ACL for that, but I've never ever had the need for field based ACL yet. So I can't give you much input on that, but it was (Cake2) and still is (Cake3) possible. For Cake3 the ACL stuff was moved to a plugin. Technically it is possible to check against anything, DB fields, rows, anything.
You could write a behavior that uses the Model.beforeMarshal event and checks if user_id (or role, or whatever) is present and not empty and then run a check on all fields you want for the given user id or user role using ACL.
You could probably use this method PermissionsTable::check() or you can write a more dedicated method does checks on multiple objects (fields) at the same time. Like I said, you'll spend some time to figure the best way out using ACL if you go for it.
UX and yet another cheap solution
First I would not show fields at all an user is not allowed to change or enter as inputs. If you need to show them, fine, disable the form input or just show it as text. Then use a regular set of validation rules that requires the field to be empty (or not present) or empty a list of fields based on your users role. If you don't show the fields the user would have to temper the form and then fail the CSRF check as well (if used).
I don't think you need to validate in the table. I just thought of a way to do it in the controller.
In my Users/Add method in the controller for instance:
public function add()
{
$user = $this->Users->newEntity();
if ($this->request->is('post')) {
$user = $this->Users->patchEntity($user, $this->request->data);
//check if user is logged in and is a certain user
if ($this->request->session()->read('Auth.User.id') === 1) {
//allow adding/editing role or whatever
$user->role = $this->request->data('role');
} else {
$user->role = 4;//or whatever the correct data is for your problem.
}
if ($this->Users->save($user)) {
$this->Flash->success(__('You have been added.'));
} else {
$this->Flash->error(__('You could not be added. Please, try again.'));
}
}
$this->set(compact('user'));
$this->set('_serialize', ['user']);
}
If I want to create a simple mechanism such as the rights extension that serves limiting and checking the access rights to the action is that I have to do on each of my controller ie preFilter ?
For example in the case. I create a table with a set of user authentication in the table below :
1 = Allow and 0 = Not Allow
Every controller I have, if the user requests to the action it will always be checked whether the current user has permissions or not
I see here : http://www.yiiframework.com/doc/guide/1.1/en/basics.controller that this can be done
class PerformanceFilter extends CFilter
{
protected function preFilter($filterChain)
{
// logic being applied before the action is executed
return true; // false if the action should not be executed
}
protected function postFilter($filterChain)
{
// logic being applied after the action is executed
}
}
How do I order to be able to use it with the AR in Yii to be able to do this?
Or is there a better way for this case?
Does it help to not make the same code over and over again in every action to check the authorization of users that access is permitted or not
Thanks
When retrieving models from database and sending them to the client I want to include for each model the url to that resource.
Let's take as example this Article model, with:
id
title
content
etc.
Storing the url to an article in the DB doesn't make sense, because it can be easily made up from id and title:
ex: http://www.example.com/articles/article_id/article_title
So, this is what I am doing now:
I use the $appends array:
/**
* Additional attributes
*
* #var array
*/
protected $appends = array('article_url');
and created a getter for article_url:
/**
* Get the article url attribute
*
* #return string
*/
protected function getArticleUrlAttribute()
{
return $this->exists
? url('articles', $parameters = array(
$this->getKey(),
Str::title(Str::limit($this->title, 100))
))
: null;
}
This works just fine. The problem is, that probably the model should not include any logic for creating urls. What is a good approach for this problem? Where should I create the
url to the article before sending it to the client?
That sort of logic would usually go in whatever your framework's routing engine is. For instance, since it sounds like you're using Laravel, you'd probably make a Named Route -- call it, say, "canonical_article".
Then you can use the link_to_route helper to have your framework generate the URL.