From e3033c2f641c058d99fc4d2c00bf5d0ea01053bb Mon Sep 17 00:00:00 2001 From: klsoft-web Date: Wed, 14 Jan 2026 16:33:22 +0300 Subject: [PATCH 1/5] The 'Using console command' section is refactored --- src/guide/security/authorization.md | 74 +++++++++++++++++++---------- 1 file changed, 48 insertions(+), 26 deletions(-) diff --git a/src/guide/security/authorization.md b/src/guide/security/authorization.md index 65f732bb..5549a484 100644 --- a/src/guide/security/authorization.md +++ b/src/guide/security/authorization.md @@ -220,9 +220,10 @@ APIs offered by `\Yiisoft\Rbac\ManagerInterface`: ```php manager; - - $auth->removeAll(); - - $createPost = (new Permission('createPost'))->withDescription('Create a post'); - $auth->add($createPost); + $this->removeAll(); - $updatePost = (new Permission('updatePost'))->withDescription('Update post'); - $auth->add($updatePost); + $this->manager->addPermission((new Permission($this->createPostPermission))->withDescription('Create a post')); + $this->manager->addPermission((new Permission($this->updatePostPermission))->withDescription('Update post')); // add the "author" role and give this role the "createPost" permission - $author = new Role('author'); - $auth->add($author); - $auth->addChild($author, $createPost); + $this->manager->addRole(new Role($this->roleAuthor)); + $this->manager->addChild($this->roleAuthor, $this->createPostPermission); // add the "admin" role and give this role the "updatePost" permission // as well as the permissions of the "author" role - $admin = new Role('admin'); - $auth->add($admin); - $auth->addChild($admin, $updatePost); - $auth->addChild($admin, $author); + $this->manager->addRole(new Role($this->roleAdmin)); + $this->manager->addChild($this->roleAdmin, $this->updatePostPermission); + $this->manager->addChild($this->roleAdmin, $this->roleAuthor); // Assign roles to users. 1 and 2 are IDs returned by IdentityInterface::getId() // usually implemented in your User model. - $auth->assign($author, 2); - $auth->assign($admin, 1); - + $this->manager->assign($this->roleAuthor, 2); + $this->manager->assign($this->roleAdmin, 1); + return ExitCode::OK; } + + private function removeAll(): void + { + $this->manager->revokeAll(2); + $this->manager->revokeAll(1); + + $this->manager->removeRole($this->roleAdmin); + $this->manager->removeRole($this->roleAuthor); + + $this->manager->removePermission($this->createPostPermission); + $this->manager->removePermission($this->updatePostPermission); + } } ``` + +Add the command to `config/console/commands.php`: + +```php +use App\Console; + +return [ + // ... + 'rbac:init' => Console\RbacCommand::class +]; +``` You can execute the command above from the console the following way: ``` -./yii rbac:init +APP_ENV=dev ./yii rbac:init ``` > If you don't want to hardcode what users have certain roles, don't put `->assign()` calls into the command. Instead, From aad9c6d11ada2bc3562632836c5c25479acfb61d Mon Sep 17 00:00:00 2001 From: klsoft-web Date: Wed, 14 Jan 2026 16:43:09 +0300 Subject: [PATCH 2/5] The 'Using migrations' section is refactored --- src/guide/security/authorization.md | 60 ++++++++++++++++------------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/src/guide/security/authorization.md b/src/guide/security/authorization.md index 5549a484..0313dada 100644 --- a/src/guide/security/authorization.md +++ b/src/guide/security/authorization.md @@ -313,53 +313,61 @@ APP_ENV=dev ./yii rbac:init You can use [migrations](../databases/db-migrations.md) to initialize and change hierarchy via APIs offered by `\Yiisoft\Rbac\ManagerInterface`. -Create new migration using `./yii migrate:create init_rbac` then implement creating a hierarchy: +Create new migration using `APP_ENV=dev ./yii migrate:create init_rbac` then implement creating a hierarchy: ```php removeAll(); - - $createPost = (new Permission('createPost'))->withDescription('Create a post'); - $auth->add($createPost); + public function __construct(private ManagerInterface $manager) {} - $updatePost = (new Permission('updatePost'))->withDescription('Update post'); - $auth->add($updatePost); + public function up(MigrationBuilder $b): void + { + $this->manager->addPermission((new Permission($this->createPostPermission))->withDescription('Create a post')); + $this->manager->addPermission((new Permission($this->updatePostPermission))->withDescription('Update post')); // add the "author" role and give this role the "createPost" permission - $author = new Role('author'); - $auth->add($author); - $auth->addChild($author, $createPost); + $this->manager->addRole(new Role($this->roleAuthor)); + $this->manager->addChild($this->roleAuthor, $this->createPostPermission); // add the "admin" role and give this role the "updatePost" permission // as well as the permissions of the "author" role - $admin = new Role('admin'); - $auth->add($admin); - $auth->addChild($admin, $updatePost); - $auth->addChild($admin, $author); + $this->manager->addRole(new Role($this->roleAdmin)); + $this->manager->addChild($this->roleAdmin, $this->updatePostPermission); + $this->manager->addChild($this->roleAdmin, $this->roleAuthor); // Assign roles to users. 1 and 2 are IDs returned by IdentityInterface::getId() // usually implemented in your User model. - $auth->assign($author, 2); - $auth->assign($admin, 1); + $this->manager->assign($this->roleAuthor, 2); + $this->manager->assign($this->roleAdmin, 1); } - - public function down() + + public function down(MigrationBuilder $b): void { - $auth = /* obtain auth */; + $this->manager->revokeAll(2); + $this->manager->revokeAll(1); + + $this->manager->removeRole($this->roleAdmin); + $this->manager->removeRole($this->roleAuthor); - $auth->removeAll(); + $this->manager->removePermission($this->createPostPermission); + $this->manager->removePermission($this->updatePostPermission); } } ``` @@ -367,7 +375,7 @@ class m170124_084304_init_rbac extends Migration > If you don't want to hardcode which users have certain roles, don't put `->assign()` calls in migrations. Instead, create either UI or console command to manage assignments. -You could apply migration by using `./yii migrate`. +You could apply migration by using `APP_ENV=dev ./yii migrate:up`. ## Assigning roles to users From 939c3769f7a5f3c74eb4b0c62d725608153b17b5 Mon Sep 17 00:00:00 2001 From: klsoft-web Date: Thu, 15 Jan 2026 11:22:37 +0300 Subject: [PATCH 3/5] Update authorization.md --- src/guide/security/authorization.md | 81 ++++++++++++++--------------- 1 file changed, 39 insertions(+), 42 deletions(-) diff --git a/src/guide/security/authorization.md b/src/guide/security/authorization.md index 0313dada..e1b5a23c 100644 --- a/src/guide/security/authorization.md +++ b/src/guide/security/authorization.md @@ -220,7 +220,7 @@ APIs offered by `\Yiisoft\Rbac\ManagerInterface`: ```php removeAll(); - $this->manager->addPermission((new Permission($this->createPostPermission))->withDescription('Create a post')); - $this->manager->addPermission((new Permission($this->updatePostPermission))->withDescription('Update post')); + $this->manager->addPermission((new Permission(RbacCommand::CREATE_POST_PERMISSION))->withDescription('Create a post')); + $this->manager->addPermission((new Permission(RbacCommand::UPDATE_POST_PERMISSION))->withDescription('Update post')); // add the "author" role and give this role the "createPost" permission - $this->manager->addRole(new Role($this->roleAuthor)); - $this->manager->addChild($this->roleAuthor, $this->createPostPermission); + $this->manager->addRole(new Role(RbacCommand::ROLE_AUTHOR)); + $this->manager->addChild(RbacCommand::ROLE_AUTHOR, RbacCommand::CREATE_POST_PERMISSION); // add the "admin" role and give this role the "updatePost" permission // as well as the permissions of the "author" role - $this->manager->addRole(new Role($this->roleAdmin)); - $this->manager->addChild($this->roleAdmin, $this->updatePostPermission); - $this->manager->addChild($this->roleAdmin, $this->roleAuthor); + $this->manager->addRole(new Role(RbacCommand::ROLE_ADMIN)); + $this->manager->addChild(RbacCommand::ROLE_ADMIN, RbacCommand::UPDATE_POST_PERMISSION); + $this->manager->addChild(RbacCommand::ROLE_ADMIN, RbacCommand::ROLE_AUTHOR); // Assign roles to users. 1 and 2 are IDs returned by IdentityInterface::getId() // usually implemented in your User model. - $this->manager->assign($this->roleAuthor, 2); - $this->manager->assign($this->roleAdmin, 1); + $this->manager->assign(RbacCommand::ROLE_AUTHOR, 2); + $this->manager->assign(RbacCommand::ROLE_ADMIN, 1); return ExitCode::OK; } @@ -277,11 +277,11 @@ final class RbacCommand extends Command $this->manager->revokeAll(2); $this->manager->revokeAll(1); - $this->manager->removeRole($this->roleAdmin); - $this->manager->removeRole($this->roleAuthor); + $this->manager->removeRole(RbacCommand::ROLE_ADMIN); + $this->manager->removeRole(RbacCommand::ROLE_AUTHOR); - $this->manager->removePermission($this->createPostPermission); - $this->manager->removePermission($this->updatePostPermission); + $this->manager->removePermission(RbacCommand::CREATE_POST_PERMISSION); + $this->manager->removePermission(RbacCommand::UPDATE_POST_PERMISSION); } } ``` @@ -289,11 +289,9 @@ final class RbacCommand extends Command Add the command to `config/console/commands.php`: ```php -use App\Console; - return [ // ... - 'rbac:init' => Console\RbacCommand::class + 'rbac:init' => App\Command\RbacCommand::class ]; ``` @@ -325,37 +323,36 @@ use Yiisoft\Rbac\ManagerInterface; use Yiisoft\Rbac\Permission; use Yiisoft\Rbac\Role; -/** - * Class M260112125812InitRbac - */ final class M260112125812InitRbac implements RevertibleMigrationInterface { - private $createPostPermission = 'createPost'; - private $updatePostPermission = 'updatePost'; - private $roleAuthor = 'author'; - private $roleAdmin = 'admin'; + private const CREATE_POST_PERMISSION = 'createPost'; + private const UPDATE_POST_PERMISSION = 'updatePost'; + private const ROLE_AUTHOR = 'author'; + private const ROLE_ADMIN = 'admin'; - public function __construct(private ManagerInterface $manager) {} + public function __construct(private ManagerInterface $manager) + { + } public function up(MigrationBuilder $b): void { - $this->manager->addPermission((new Permission($this->createPostPermission))->withDescription('Create a post')); - $this->manager->addPermission((new Permission($this->updatePostPermission))->withDescription('Update post')); + $this->manager->addPermission((new Permission(M260112125812InitRbac::CREATE_POST_PERMISSION))->withDescription('Create a post')); + $this->manager->addPermission((new Permission(M260112125812InitRbac::UPDATE_POST_PERMISSION))->withDescription('Update post')); // add the "author" role and give this role the "createPost" permission - $this->manager->addRole(new Role($this->roleAuthor)); - $this->manager->addChild($this->roleAuthor, $this->createPostPermission); + $this->manager->addRole(new Role(M260112125812InitRbac::ROLE_AUTHOR)); + $this->manager->addChild(M260112125812InitRbac::ROLE_AUTHOR, M260112125812InitRbac::CREATE_POST_PERMISSION); // add the "admin" role and give this role the "updatePost" permission // as well as the permissions of the "author" role - $this->manager->addRole(new Role($this->roleAdmin)); - $this->manager->addChild($this->roleAdmin, $this->updatePostPermission); - $this->manager->addChild($this->roleAdmin, $this->roleAuthor); + $this->manager->addRole(new Role(M260112125812InitRbac::ROLE_ADMIN)); + $this->manager->addChild(M260112125812InitRbac::ROLE_ADMIN, M260112125812InitRbac::UPDATE_POST_PERMISSION); + $this->manager->addChild(M260112125812InitRbac::ROLE_ADMIN, M260112125812InitRbac::ROLE_AUTHOR); // Assign roles to users. 1 and 2 are IDs returned by IdentityInterface::getId() // usually implemented in your User model. - $this->manager->assign($this->roleAuthor, 2); - $this->manager->assign($this->roleAdmin, 1); + $this->manager->assign(M260112125812InitRbac::ROLE_AUTHOR, 2); + $this->manager->assign(M260112125812InitRbac::ROLE_ADMIN, 1); } public function down(MigrationBuilder $b): void @@ -363,11 +360,11 @@ final class M260112125812InitRbac implements RevertibleMigrationInterface $this->manager->revokeAll(2); $this->manager->revokeAll(1); - $this->manager->removeRole($this->roleAdmin); - $this->manager->removeRole($this->roleAuthor); + $this->manager->removeRole(M260112125812InitRbac::ROLE_ADMIN); + $this->manager->removeRole(M260112125812InitRbac::ROLE_AUTHOR); - $this->manager->removePermission($this->createPostPermission); - $this->manager->removePermission($this->updatePostPermission); + $this->manager->removePermission(M260112125812InitRbac::CREATE_POST_PERMISSION); + $this->manager->removePermission(M260112125812InitRbac::UPDATE_POST_PERMISSION); } } ``` From 017a31dea6f5a89400f98aefe06f95b735cbca57 Mon Sep 17 00:00:00 2001 From: klsoft-web Date: Fri, 16 Jan 2026 11:00:20 +0300 Subject: [PATCH 4/5] The 'Assigning roles to users' section is refactored --- src/guide/security/authorization.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/guide/security/authorization.md b/src/guide/security/authorization.md index e1b5a23c..c6645503 100644 --- a/src/guide/security/authorization.md +++ b/src/guide/security/authorization.md @@ -396,9 +396,10 @@ public function signup() $user->save(false); // the following three lines were added: - $auth = \Yii::$app->authManager; - $authorRole = $auth->getRole('author'); - $auth->assign($authorRole, $user->getId()); + $authorRole = $this->manager->getRole('author'); + if ($authorRole !== null) { + $this->manager->assign($authorRole->getName(), $user->getId()); + } return $user; } From f12a33b60d74cc4647956a48588472e774ad6762 Mon Sep 17 00:00:00 2001 From: klsoft-web Date: Fri, 16 Jan 2026 12:52:37 +0300 Subject: [PATCH 5/5] Update authorization.md --- src/guide/security/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/guide/security/authorization.md b/src/guide/security/authorization.md index c6645503..853216ff 100644 --- a/src/guide/security/authorization.md +++ b/src/guide/security/authorization.md @@ -409,7 +409,7 @@ public function signup() ``` For applications that require complex access control with dynamically updated authorization data -(such as an admin panel), you many need to develop special user interfaces using APIs offered by `authManager`. +(such as an admin panel), you many need to develop special user interfaces using APIs offered by `Yiisoft\Rbac\Manager`. ### Using rules