There are two roles: admin - has access to all admin settings, content manager - has access only to two admin sections

I created two roles: admin and Content manager. Content manager gave permisheny two sections.

<?php namespace console\controllers; use common\models\User; use Yii; use yii\console\Controller; class RbacController extends Controller { public function actionInit() { $auth = Yii::$app->authManager; //CREATE CONTENT MANAGER ROLE $contentManagerRole = Yii::$app->authManager->createRole('content_manager'); $contentManagerRole->description = 'Content manager'; //CREATE ADMIN ROLE $adminRole = Yii::$app->authManager->createRole('admin'); $adminRole->description = 'Administrator'; $auth->add($adminRole); //COMPLAIN PERMISSIONS $indexComplain = $auth->createPermission('complain-index'); $viewComplain = $auth->createPermission('complain-view'); $createComplain = $auth->createPermission('complain-create'); $updateComplain = $auth->createPermission('complain-update'); $deleteComplain = $auth->createPermission('complain-delete'); //ANNOUNCEMENT PERMISSIONS $indexAnnouncement = $auth->createPermission('announcement-index'); $viewAnnouncement = $auth->createPermission('announcement-view'); $createAnnouncement = $auth->createPermission('announcement-create'); $updateAnnouncement = $auth->createPermission('announcement-update'); $deleteAnnouncement = $auth->createPermission('announcement-delete'); $auth->add($indexComplain); $auth->add($viewComplain); $auth->add($createComplain); $auth->add($updateComplain); $auth->add($deleteComplain); $auth->add($indexAnnouncement); $auth->add($viewAnnouncement); $auth->add($createAnnouncement); $auth->add($updateAnnouncement); $auth->add($deleteAnnouncement); $auth->add($contentManagerRole); //ADDING PERMISSIONS IN ROLE CONTENT MANAGER $auth->addChild($contentManagerRole, $indexComplain); $auth->addChild($contentManagerRole, $viewComplain); $auth->addChild($contentManagerRole, $createComplain); $auth->addChild($contentManagerRole, $updateComplain); $auth->addChild($contentManagerRole, $deleteComplain); $auth->addChild($contentManagerRole, $indexAnnouncement); $auth->addChild($contentManagerRole, $viewAnnouncement); $auth->addChild($contentManagerRole, $createAnnouncement); $auth->addChild($contentManagerRole, $updateAnnouncement); $auth->addChild($contentManagerRole, $deleteAnnouncement); $auth->addChild($adminRole, $contentManagerRole); $auth->assign($contentManagerRole, User::getContentManagerUser()->id); $auth->assign($adminRole, User::getAdminUser()->id); } }

In the config put ACF

  'as beforeRequest' => [ 'class' => 'yii\filters\AccessControl', 'rules' => [ //COMMON [ 'actions' => ['logout', 'index'], 'allow' => true, 'roles' => ['admin', 'content_manager'], ], //ADMIN [ 'allow' => true, 'roles' => ['admin'], ], //CONTENT MANAGER [ 'allow' => true, 'roles' => ['content_manager'], ], [ 'actions' => ['login'], 'allow' => true, 'roles' => ['?'] ], ], ],

How can I write a rule under which the content manager can go to the sections to which I gave permisenes, to the remaining 403.

In controllers with 2 sections added access of this type

  'access' => [ 'class' => AccessControl::className(), 'rules' => [ [ 'allow' => true, 'actions' => ['index'], 'roles' => ['complain-index'], ], [ 'allow' => true, 'actions' => ['view'], 'roles' => ['complain-view'], ], [ 'allow' => true, 'actions' => ['create'], 'roles' => ['complain-create'], ], [ 'allow' => true, 'actions' => ['update'], 'roles' => ['complain-update'], ], [ 'allow' => true, 'actions' => ['delete'], 'roles' => ['complain-delete'], ], ], ],

    1 answer 1

    Solved a problem. Created a base controller in the backend, where I set up accesses.

     <?php namespace backend\controllers; use Yii; use common\models\service\Rbac; use yii\web\Controller; use yii\filters\VerbFilter; use yii\filters\AccessControl; class AdminController extends Controller { public function behaviors() { return [ 'verbs' => [ 'class' => VerbFilter::className(), 'actions' => [ 'logout' => ['GET'], 'delete' => ['POST'], ], ], 'access' => [ 'class' => AccessControl::className(), 'rules' => [ //COMMON [ 'actions' => ['logout', 'index'], 'allow' => true, 'roles' => ['admin', 'content_manager'], ], [ 'actions' => ['login'], 'allow' => true, 'roles' => ['?'] ], [ 'allow' => true, 'roles' => ['admin', 'content_manager'], ], ], ], ]; } public function actions() { return [ 'error' => [ 'class' => 'yii\web\ErrorAction', ], ]; } public function beforeAction($action) { if (!Yii::$app->user->isGuest) { $rbac = new Rbac(); $rbac->checkPermissionsForContentManager(); } return parent::beforeAction($action); // TODO: Change the autogenerated stub } }

    All other controllers inherit from the base.

    Rbac service

     <?php namespace common\models\service; use Yii; use common\models\User; use yii\web\ForbiddenHttpException; class Rbac { /** * Backend controller ids array * for Content Manager * @var array */ public $permissionsContentManager = [ 'auth', 'admin', 'announcement', 'complain', 'site' ]; /** * @param $username * @return bool */ public static function isUserAdmin($username) { $user = User::findOne(['username' => $username]); if ($user) { return in_array($user->id, Yii::$app->authManager->getUserIdsByRole('admin')); } return false; } /** * @param $username * @return bool */ public static function isUserContentManager($username) { $user = User::findOne(['username' => $username]); if ($user) { return in_array($user->id, Yii::$app->authManager->getUserIdsByRole('content_manager')); } return false; } public function checkPermissionsForContentManager() { if (self::isUserContentManager(Yii::$app->user->identity->username)) { if (!in_array(Yii::$app->controller->id, $this->permissionsContentManager)) { throw new ForbiddenHttpException('У вас нет доступа к этой странице ...', 403); } } } }

    Not sure about the correctness of the solution, since this code can be written without using RBAC.