Yii2: AccessControl behavior "role" could be confusing

Created on 7 Jan 2017 · 20Comments · Source: yiisoft/yii2

What steps will reproduce the problem?

there is no problem just a litte confusing implementation

What is the expected result?

What do you get instead?

Additional info

taken from the Yii2 guide:

public function behaviors()
{
    return [
        'access' => [
            'class' => AccessControl::className(),
            'rules' => [
                [
                    'allow' => true,
                    'actions' => ['index'],
                    'roles' => ['managePost'],
                ],

It seems that 'roles'=>['managePost'] really refers to permission
so it may be 'permissions'=>['managePost']
to avoid confusion.

| Q | A
| ---------------- | ---
| Yii version | 2.0.10
| PHP version | 5.6
| Operating system |

ready for adoption enhancement

Source

gvasilopulos

Most helpful comment

"only" is too generic, we have "actions", "controller", "ips"... then "only"-what?

cebe on 8 Jan 2017

👍4

All 20 comments

Yeah, according to RBAC best practice, checks should only be made against permissions so it would make sense to rename that for better user education.

cebe on 7 Jan 2017

👍2

Agree that it should be renamed.

samdark on 8 Jan 2017

I'm for supporting both keys in 2.0.x and dropping roles in 2.1.

samdark on 8 Jan 2017

Maybe some other name is needed here, something that means (or concerns) "roles+permissions" because in 2.1 expect issue like:

It seems that 'permissions'=>['?', 'admin'] really refers to roles

I suggest "applyTo" or "check".

bizley on 8 Jan 2017

only?

samdark on 8 Jan 2017

👍1

"only" is too generic, we have "actions", "controller", "ips"... then "only"-what?

cebe on 8 Jan 2017

👍4

How about can? It is alike Yii::$app->user->can()

I'm for supporting both keys in 2.0.x and dropping roles in 2.1.

IMHO it's not the change that requires such a massive BC breaking. I'm OK even with having both permanently.

SilverFire on 14 Jan 2017

can doesn't sound descriptive. The access rule itself has allow which is very close to can.

samdark on 14 Jan 2017

What about privileges? It sounds descriptive for both roles and permissions: "admin privileges", "editing privileges".

bizley on 15 Jan 2017

👍2 🎉1

Actually, you can pass an array of roles, of permissions or even mixed here. If the developer chooses to not follow the RBAC best practice for whatever reason, its his choice. The best practice should be highlighted in the documentation, and there may be cases where a security check according to a role may make sense.

So i suggest that 'roles' and 'permissions' should be aliases and be both valid even in yii 2.1+, as long as only one of them are specified. Or possibly they may me merged together for maximum flexibility.

Roles and Permissions are both valid entities here.

This way we also stay backward-compatible.

thyseus on 17 Jan 2017

sure that is the point of the issue. find a name that fits both because both are allowed. I do not think we should go with two separate properties, it will only make the implementation too complicated.

cebe on 17 Jan 2017

👍1

The Implementation is straightforward in my opinion:

if($roles && $permissions)
  return array_merge($roles, $permissions);
else if (!$roles && !$permissions)
  return null;
else 
  return $roles || $permissions;

or even prettier if there is some code logic guru :)

thyseus on 17 Jan 2017

👍1

This way we could do something like:

'roles' => ['role_1', 'role_2'],
'permissions' => ['permission_1', 'permission_2'],

which seems quite readable for me.

thyseus on 17 Jan 2017

Yes, indeed it looks OK.

samdark on 17 Jan 2017

👍1

Perhaps https://github.com/yiisoft/yii2/pull/13403 may already be the solution? Please Code Review, thanks !

thyseus on 18 Jan 2017

The point is that you can do

'roles' => ['permission_1', 'permission_2'],
'permissions' => ['role_1', 'role_2'],

and it's perfectly fine. That is why we think about one new name for this key.

bizley on 18 Jan 2017

👍3

Roles and permissions already have a general name. Why don't we stick to the existing naming convention of the RBAC framework and call it just items?