I have tried implementing RBAC in Yii2. I have followed this tutorial: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#rbac but now I have a problem. I have logged in with an "admin" account (id=1), but I cannot create a new item, even though I should be able to. Here are my files:
public function up()
{
$auth = Yii::$app->authManager;
// add "viewPost" permission
$viewPost= $auth->createPermission('viewPost');
$viewPost->description = 'View a post';
$auth->add($viewPost);
// add "createPost" permission
$createPost = $auth->createPermission('createPost');
$createPost->description = 'Create a post';
$auth->add($createPost);
// add "updatePost" permission
$updatePost = $auth->createPermission('updatePost');
$updatePost->description = 'Update post';
$auth->add($updatePost);
// add "viewer" role and give this role the "viewPost" permission
$viewer = $auth->createRole('viewer');
$auth->add($viewer);
$auth->addChild($viewer, $viewPost);
// add "author" role and give this role the "createPost" permission
$author = $auth->createRole('author');
$auth->add($author);
$auth->addChild($author, $createPost);
// add "admin" role and give this role the "updatePost" permission
// as well as the permissions of the "author" role
$admin = $auth->createRole('admin');
$auth->add($admin);
$auth->addChild($admin, $updatePost);
$auth->addChild($admin, $author);
// add the rule
$rule = new \app\rbac\AuthorRule;
$auth->add($rule);
// add the "updateOwnPost" permission and associate the rule with it.
$updateOwnPost = $auth->createPermission('updateOwnPost');
$updateOwnPost->description = 'Update own post';
$updateOwnPost->ruleName = $rule->name;
$auth->add($updateOwnPost);
// "updateOwnPost" will be used from "updatePost"
$auth->addChild($updateOwnPost, $updatePost);
// allow "author" to update their own posts
$auth->addChild($author, $updateOwnPost);
// Assign roles to users. 1 and 2 are IDs returned by IdentityInterface::getId()
// usually implemented in your User model.
$auth->assign($admin, 1);
}
In the item view, I wanted to hide the "create" button for users who can't create items:
<?php if (\Yii::$app->user->can('createPost')) : ?>
<?= Html::a(Yii::t('app', 'Create Item'), ['create'], ['class' => 'btn btn-success']) ?>
<?php endif; ?>
but the button is not here.
I'm a complete beginner with PHP and Yii and have no idea why this doesn't work.
Edit:
This is my ItemController:
<?php
namespace app\controllers;
use Yii;
use app\models\Item;
use app\models\ItemSearch;
use yii\web\Controller;
use yii\web\NotFoundHttpException;
//use yii\filters\VerbFilter;
use yii\filters\AccessControl;
/**
* ItemController implements the CRUD actions for Item model.
*/
class ItemController extends Controller
{
public function behaviors()
{
//return [
//'verbs' => [
//'class' => VerbFilter::className(),
//'actions' => [
//'delete' => ['post'],
//],
//],
//];
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'actions' => ['index'],
'roles' => ['@'],
],
[
'allow' => true,
'actions' => ['view'],
'roles' => ['@'],
],
[
'allow' => true,
'actions' => ['create'],
'roles' => ['admin', 'author'],
],
[
'allow' => true,
'actions' => ['update'],
'roles' => ['admin', 'author'],
],
],
],
];
}
/**
* Lists all Item models.
* @return mixed
*/
public function actionIndex()
{
$searchModel = new ItemSearch();
$dataProvider = $searchModel->search(Yii::$app->request->queryParams);
if(Yii::$app->user->isGuest)
{
$this->redirect(Yii::$app->homeUrl . 'login');
}
else
{
return $this->render('index', [
'searchModel' => $searchModel,
'dataProvider' => $dataProvider,
]);
}
}
/**
* Displays a single Item model.
* @param integer $id
* @return mixed
*/
public function actionView($id)
{
$model = $this->findModel($id);
$providerHistory = new \yii\data\ArrayDataProvider([
'allModels' => $model->histories,
]);
return $this->render('view', [
'model' => $this->findModel($id),
'providerHistory' => $providerHistory,
]);
}
/**
* Creates a new Item model.
* If creation is successful, the browser will be redirected to the 'view' page.
* @return mixed
*/
public function actionCreate()
{
$model = new Item();
if ($model->loadAll(Yii::$app->request->post()) && $model->saveAll()) {
return $this->redirect(['view', 'id' => $model->Id]);
} else {
return $this->render('create', [
'model' => $model,
]);
}
}
/**
* Updates an existing Item model.
* If update is successful, the browser will be redirected to the 'view' page.
* @param integer $id
* @return mixed
*/
public function actionUpdate($id)
{
$model = $this->findModel($id);
if ($model->loadAll(Yii::$app->request->post()) && $model->saveAll()) {
return $this->redirect(['view', 'id' => $model->Id]);
} else {
return $this->render('update', [
'model' => $model,
]);
}
}
/**
* Deletes an existing Item model.
* If deletion is successful, the browser will be redirected to the 'index' page.
* @param integer $id
* @return mixed
*/
public function actionDelete($id)
{
$this->findModel($id)->deleteWithRelated();
return $this->redirect(['index']);
}
/**
*
* Export Item information into PDF format.
* @param integer $id
* @return mixed
*/
public function actionPdf($id) {
$model = $this->findModel($id);
$providerHistory = new \yii\data\ArrayDataProvider([
'allModels' => $model->histories,
]);
$content = $this->renderAjax('_pdf', [
'model' => $model,
'providerHistory' => $providerHistory,
]);
$pdf = new \kartik\mpdf\Pdf([
'mode' => \kartik\mpdf\Pdf::MODE_CORE,
'format' => \kartik\mpdf\Pdf::FORMAT_A4,
'orientation' => \kartik\mpdf\Pdf::ORIENT_PORTRAIT,
'destination' => \kartik\mpdf\Pdf::DEST_BROWSER,
'content' => $content,
'cssFile' => '@vendor/kartik-v/yii2-mpdf/assets/kv-mpdf-bootstrap.min.css',
'cssInline' => '.kv-heading-1{font-size:18px}',
'options' => ['title' => \Yii::$app->name],
'methods' => [
'SetHeader' => [\Yii::$app->name],
'SetFooter' => ['{PAGENO}'],
]
]);
return $pdf->render();
}
/**
* Finds the Item model based on its primary key value.
* If the model is not found, a 404 HTTP exception will be thrown.
* @param integer $id
* @return Item the loaded model
* @throws NotFoundHttpException if the model cannot be found
*/
protected function findModel($id)
{
if (($model = Item::findOne($id)) !== null) {
return $model;
} else {
throw new NotFoundHttpException(Yii::t('app', 'The requested page does not exist.'));
}
}
/**
* Action to load a tabular form grid
* for History
* @author Yohanes Candrajaya <[email protected]>
* @author Jiwantoro Ndaru <[email protected]>
*
* @return mixed
*/
public function actionAddHistory()
{
if (Yii::$app->request->isAjax) {
$row = Yii::$app->request->post('History');
if((Yii::$app->request->post('isNewRecord') && Yii::$app->request->post('_action') == 'load' && empty($row)) || Yii::$app->request->post('_action') == 'add')
$row[] = [];
return $this->renderAjax('_formHistory', ['row' => $row]);
} else {
throw new NotFoundHttpException(Yii::t('app', 'The requested page does not exist.'));
}
}
}
and my item/create.php view:
<?php
use yii\helpers\Html;
/* @var $this yii\web\View */
/* @var $model app\models\Item */
$this->title = Yii::t('app', 'Create Item');
$this->params['breadcrumbs'][] = ['label' => Yii::t('app', 'Item'), 'url' => ['index']];
$this->params['breadcrumbs'][] = $this->title;
?>
<div class="item-create">
<h1><?= Html::encode($this->title) ?></h1>
<?= $this->render('_form', [
'model' => $model,
]) ?>
</div>
Some views are organized in a common part that is stored tipically in _form.php partial view, so you shoud check in _form.php partial views for th code you need, (in the same \views\yuormodel_form.php) and extend the behavior with you rbac condition
<?php if (\Yii::$app->user->can('createPost')) : ?>
<?= Html::a(Yii::t('app', 'Create Item'), ['create'], ['class' => 'btn btn-success']) ?>
<?php endif; ?>
In your create.php view as you can see here
<?= $this->render('_form', [
'model' => $model,
]) ?>
is rendered a (common) view _form
inside the _form.php near the end you should find this code for create )or update) button
if you want enable the button for Admin role you should add the check eg:this way
<div class="form-group">
if (\Yii::$app->user->can('admin')){
<?= Html::submitButton($model->isNewRecord ? 'Create' : 'Update',
['class' => $model->isNewRecord ? 'btn btn-warning' : 'btn btn-warning']) ?>
}
</div>