Yii Authentication

Posted: Feb 19, 2012 23:02;
Last Modified: May 23, 2012 18:05
Keywords:

admin authentication

In the controllers established by gii, yii’s scaffolding tool, there is a standard method called accessRules() that defines what users can do what actions. A common set is:

public function accessRules()
	{
		return array(
			array('allow',  // allow all users to perform 'index' and 'view' actions
				'actions'=>array('index','view'),
				'users'=>array('*'),
			),
			array('allow', // allow authenticated user to perform 'create' and 'update' actions
				'actions'=>array('create','update'),
				'users'=>array('@'),
			),
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('admin','delete'),
				'users'=>array('admin'),
			),
			array('deny',  // deny all users
				'users'=>array('*'),
			),
		);
	}

The comments explain what each array means. An interesting question, however, is how you get a user to count as an ‘admin’? Is there some method or class somewhere that store this information? And if so, how do I get in it?

If you create new users you might devote considerable amount of time trying to get them into the admin class, all to no avail. As far as I can tell, the ‘admin’ refers to usernames rather than a class of user. So if your username is ‘admin’ you can do the restricted actions. If it isn’t, you can’t.

There are a couple of choices here. One is to keep a user whose name is ‘admin’: this has the virtue of simplicity and, since yii will always generate this condition everytime you generate a new site, it also means you’ll not have to go changing ever constructor in your new site as well.

The other choices are to change the code, either to allow some other determinant there. One approach, modified very slightly from an example in Larry Ullman’s blog, is to change ‘admin’ to the wildcard '<nowiki>‘@ (=logged in users) and then add an expression for some other condition:

array('allow',
    'actions'=>array('admin','delete'),
    'users'=>array('@'),
    'expression'=>'isset($user->role) && ($user->role==="editor")'
),

You could even just hardwire somebody’s name in or some other attribute:

bc.. array('allow',
    'actions'=>array('admin','delete'),
    'users'=>array('@'),
    'expression'=>'isset($user->email) && ($user->role==="admin@example.com")'
),

For more discussion, see

Commenting is closed for this article.

Follow me on Twitter

@LorinYochim @CAUT_ACPPU @case_acse @CSSESCEE @UMFA_FAUM @ULFAssociation I'm afraid I don't. I thought it was one o… twitter.com/i/web/status/1… Jun 27, 09:17 AM

RT @BUFABrock: The results are in! @BUFABrock members have voted 97% in favour of strike authorization, if necessary. The participation r… Jun 27, 08:33 AM

@LorinYochim @CAUT_ACPPU @case_acse @CSSESCEE @UMFA_FAUM @ULFAssociation I thought I heard talk of this at caut this year. Jun 27, 08:30 AM

RT @deelomas: And, the official winner of the ‘Not My Job’ award goes to… pic.twitter.com/0sDes9D5oq Jun 26, 09:34 PM

I'm beginning to think that electric vehicles are sort of a Linux of the car world at the moment. Except Teslas whi… twitter.com/i/web/status/1… Jun 26, 08:57 AM

"He felt that American children in recent generations have had too much parental protection and too little opportun… twitter.com/i/web/status/1… Jun 18, 09:01 PM

I've been going through Ernie Pyle's Brave Men (a collection of columns from the European front in WWII) looking up… twitter.com/i/web/status/1… Jun 17, 08:52 PM

Traditionally, “knowledge workers” have had two productivity peaks in their workday: just before lunch and just aft… twitter.com/i/web/status/1… Jun 10, 10:25 PM

RT @JasonOnTheDrums: #Ableg Today was within 97% of the record votes we record on Tuesday. We’re on pace for 784,475 votes over and will… May 26, 08:08 PM

So if we were doing bets, here's mine: NDP 45 UCP 41 IND (Child-hating poop-cookie) 1 I think people are undere… twitter.com/i/web/status/1… May 26, 08:07 PM

Daniel Paul O'Donnell