Perfection is achieved, not when there is nothing to add,
and when there is nothing to remove.

Antoine de Saint-exupéry

  1. Defining Identity Class
  2. Login and Logout
  3. Cookie-based Login
  4. Access Control Filter
  5. Handling Authorization Result
  6. Role-Based Access Control
  7. Configuring Authorization Manager
  8. Defining Authorization Hierarchy
  9. Using Business Rules

Authentication and authorization are required for a Web page that should be limited to certain users. Authentication is about verifying whether someone is who they claim to be. It usually involves a username and a password, but may include any other methods of demonstrating identity, such as a smart card, fingerprints, etc. Authorization is finding out if the person, once identified (i.e. authenticated), is permitted to manipulate specific resources. This is usually determined by finding out if that person is of a particular role that has access to the resources.

Yii has a built-in authentication/authorization (auth) framework which is easy to use and can be customized for special needs.

The central piece in the Yii auth framework is a pre-declared user application component which is an object implementing the IWebUser interface. The user component represents the persistent identity information for the current user. We can access it at any place using Yii::app()->user.

Using the user component, we can check if a user is logged in or not via CWebUser::isGuest; we can login and logout a user; we can check if the user can perform specific operations by calling CWebUser::checkAccess; and we can also obtain the unique identifier and other persistent identity information about the user.