Yii2 Access Rules Using Different Models

Question

I'm having trouble with Yii2 Role Based Access Control. In the usual set-up, the authentication rule takes place when the identity of the current user. Like written in the docs. Authorization

In my case, how can I set up the authorization (aside from the basic feature) using another set of models.? Here is my set up.

Table auth_assignment [item_name, user_id] from rbac migration, user [id] from the yii2 migration. I created a new table assignment [user_id related to user, rec_id related to recognition of an organization].

This is the scenario. I have the roles admin, organization-head, member. How can I check if the organization-head, or member belongs to their own Recognition module; not the other modules from other organization-heads?

I used also the context access control filter by peixoto.

Here is my code for checking. RecognitionRule checks if there is a user user_id equal to the identity of the user; and account_id equal to rec_id. The second condition tells if he is belong to the organization

/**
 * Checks if ID matches user passed via params
 */
class RecognitionRule extends Rule
{
    public $name = 'isRecognition';

    /**
     * @param string|integer $user the user ID.
     * @param Item $item the role or permission that this rule is associated with
     * @param array $params parameters passed to ManagerInterface::checkAccess().
     * @return boolean a value indicating whether the rule permits the role or permission it is associated with.
     */
    public function execute($user, $item, $params)
    {
        if(isset($params['recognition'])){ //Directly specify the model you plan to use via param
            $model = $params['recognition']; 
        }else{ //Use the controller findModel method to get the model - this is what executes via the behaviour/rules
            $id = Yii::$app->request->get('id'); //Note, this is an assumption on your url structure. 
            $model = Yii::$app->controller->findModel($id); //Note, this only works if you change findModel to be a public function within the controller.
        }
        return \common\models\Assignment::find()->where(['rec_id' => $model->id, 'user_id' => $user])->exists();
    }
}

Still, I am not allowed to perform the action. Any clues?

Answer 1

I got the answers. I based my answer on AccessRule behavior and rbac\Rule $params

snippet of the RecognitionRule

/**
 * @param string|integer $user the user ID.
 * @param Item $item the role or permission that this rule is associated with
 * @param array $params parameters passed to ManagerInterface::checkAccess().
 * @return boolean a value indicating whether the rule permits the role or permission it is associated with.
 */
public function execute($user, $item, $params)
{
    if(isset($params['recognition'])){ //Directly specify the model you plan to use via param
        $model = $params['recognition']; 
    } else{ //Use the controller findModel method to get the model - this is what executes via the behaviour/rules
        $id = Yii::$app->request->get('id'); //Note, this is an assumption on your url structure.
    }

    return \common\models\Assignment::find()->where(['rec_id' => $id, 'user_id' => $user])->exists();
}
}
?>

RecognitionController

                [
                    'class' => 'common\rbac\ContextAccessRule',
                    'modelClass' => 'frontend\models\recognition',
                    'allow' => true,
                    'actions' => ['view','update'],
                    'roles' => ['viewOwnRecognition', 'updateOwnRecognition'],
                ],
            ],
        ],
    ];