Comments on: Yii Framework Access Control Lists

By: Larry

Larry — Wed, 23 Nov 2011 00:13:50 +0000

Thanks for the input, Klaus.

By: Klaus

Klaus — Sat, 19 Nov 2011 10:49:41 +0000

I think you often needs to check whether the logged in user is the owner of a post.
And when you only need this as role management it is better do it without rbac because you must do the same then mindhout says.
And when you have for example a task updateOwnPost and check only this there are 3 queries needed. When you check only for an operation like update then there are needed 6 or seven queries to check it.
Read the rbac docs.
For simple said I agree with Larry. When you not need a complex role system wiht many of roles tasks and operations it is better to do this wiht ACL.

By: Larry

Larry — Sat, 05 Nov 2011 13:32:15 +0000

It sounds like going the more formal route of an RBAC would seem to make the most sense. I think of ACL as being a relatively simple approach and the problem is it needs to be hardcoded into each controller, which would be unmanageable in your case, I suspect. Thanks for the nice words!

By: Icarus A

Icarus A — Fri, 04 Nov 2011 12:10:25 +0000

Larry, your tutorial series on Yii is really a great resource for the community, and more so for people just beginning on Yii, since these are specific use-case based deep dives.

Wondering if your method would be a good natural fit to where several thousand (maybe couple of hundred thousand) users, each having their own “private” content. E.g.

user0001 has access to content0001a, content0001b, content0001c…
user0002 has access to content0002a, content0002b, content0002c…
…
user000N has access to content000Na, content000Nb, content000Nc…

although all users, do have access to some limited shared / common content as well. The content in question is of sensitive nature (e.g. scanned tax filing images etc.), so the ACL needs to be pretty much bullet proof.

Would the ACL method scale well as per this use case ?

By: Larry

Larry — Thu, 13 Oct 2011 20:42:19 +0000

Hello Alex. === is an identical comparison; == is an equality comparison. It's best to make identical comparisons in situations where you want to distinguish between true-like values and actual true, or false-like values (such as 0) and actual false. :: is the scope resolution operator, used to refer to a member of a class. -> is for referring to a member of an object. None of these are particular to frameworks; they're part of PHP proper.

By: Alex

Alex — Tue, 11 Oct 2011 12:01:57 +0000

Hi Larry! Thanx again for the great post! Just to get everything ordered in future – can you explain why somewhere is used === instead of == and :: instead of -> ?…

By: Larry

Larry — Sat, 27 Aug 2011 12:39:45 +0000

Well, you could just use in_array(). That’s not a “Yii-way” necessarily, but it’d only take a line of code.

By: Nathan

Nathan — Wed, 24 Aug 2011 12:59:08 +0000

Hello,
Regarding you last example (checking if the event being deleted belongs to the user), what if the relationship is MANY_MANY, that is, I don’t have a “ownerId” but an array of owners?

I could I guess iterate over the values of the array but I’m wondering if there is a Yii-way of doing this.

By: Larry

Larry — Mon, 22 Aug 2011 18:16:16 +0000

Thanks for the nice words. Glad you liked it. As for your question, well, my solution is a bit of a hack, as I said, and hacking framework (i.e., standardized) code isn’t really a good thing. And the RBAC allows finer control. I’m not saying you should rush out to use RBAC, but it has its merits, of course.

By: MetaCrawler

MetaCrawler — Fri, 19 Aug 2011 08:12:55 +0000

Very nice post! Helped me a lot! THANKS!

It is much easier to understand than the yii role-based-acces-control article on yiiframework.com …
I already spent a lot of time on the rbac tutorial… and I still have some understanding problems.
I read your post only one time and understood everything.

But I have a little question:
What is the “advantage” of using the “Yii-RBAC” instead of your solution?
Your solution is much easier, less work… and it does the same thing… (or not?)

Best Regards from germany!