Yii2 Rbac – Role based authorization

I’m using Yii2-User as my authentication framework and I’ve used Yii2’s standard database rooted¬†¬†authorisation scheme. As usual there are a few gotcha’s that need explaining.

When configuring rbac in the components section of the config file this is usually suggested.

     'authManager' => [
                           'class' => 'yii\rbac\DbManager',
                           'defaultRoles' => ['guest'],

The first section is self explanatory, use the DbManager as the source of the Authorisation class.

I’ve yet to see a proper explanation of what the second line does.

It assigns the defined role or roles to anyone who hits the site.

More crucially it assigns those roles to logged in users as well. This can play havoc with your authorisation logic if you are defining strict rules. A logged in user may get access, or be channeled down paths that you didn’t expect!

Bookmark the permalink.

Comments are closed.