I had a similar desire in one of my projects, but I did not create my own complete RBAC system, instead I rewrote the role checking method
In my class of User components, I extend \ yii \ web \ User, and also overwrite the can () function of this class. This allows me to use my own way of checking the appropriate permissions. for instance
<?php namespace app\modules\users\models; use Yii; use yii\web\User as WebUser; use app\modules\users\models\UserPermissionManager; class User extends WebUser { public function can( $operation, $params = [], $allowCaching = true ) { if(Yii::$app->user->isGuest) { return false; } return ( new UserPermissionManager() )->has( $operation ); } }
In the UserPermissionManager class, it queries a database table full of permissions such as "users: access", "users: edit", etc.
They all have a specific user level assigned to them, which refers to the user level that I set in my users database table.
All can () functions should do this, return true or false, depending on whether this user has permission to do what he sets. You can handle it as you like.
This is a pretty big system to fully explain in one post, but I hope this helps a bit, feel free to let me know if I can explain anything better!
Lynch source share