Ilko Kacharov, profile picture
Uploaded byIlko Kacharov
PDF, PPTX5,518 views

Yii Framework Security

The document discusses authentication and authorization in the Yii framework, including its core application components like authentication manager and access control, as well as authorization approaches like role-based access control and access control lists. Yii provides tools for user authentication, defining user roles and permissions, and controlling access to application functions and data.

Technology
In this document
Powered by AI

Introduction to Yii Framework focusing on application security with emphasis on authentication and authorization.

Highlights advantages of Yii including good documentation, rapid community growth, performance, and ease of configuration.

Discussion of performance measurements like RPS and APC to enhance application response rates.

Overview of core application components such as request, authentication, caching, and security in Yii.

Details the application lifecycle in Yii, outlining the workflow from initialization to request handling.

Explanation of authentication as a process to securely identify users in applications.

Explanation of authorization verifying user permissions for accessing resources.

Definition and role of ACLs in granting user access to specific system objects.

Defines RBAC principles including role assignment, authorization, and permission management.

Steps necessary for securing Yii applications including defining identity and managing roles.

Example code for the authenticate method showcasing user validation against the database.

Links to documentation, forums, resources, references, installation requirements, and licensing for Yii.

Download as PDF, PPTX
Application Security with Yii Framework Authentication and Authorization Ilko Kacharov | kachar136@gmail.com
Advantages of the framework 1. Very good documentation and many examples 2. Yii community is growing rapidly, has many free extensions 3. Easy approach to develop modules and components 4. Model, Controller, Module code generation tool may be used with custom code templates. 5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats'); 6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC 7. It is super fast because of the usage of autoloading functions 8. Easy configuration in php array, application may be started with different configs. 9. Easy to extend / customize, simple code structure 10. Yii Authentication API for multi-channel login, easy to extend, SOAP support 11. User Access Control using different schemes like RBAC, ACL 12. Web services and console applications can be build as easy as web apps. 13. Easy form creation and form validation (client and server side), built-in ajax support 14. Easy to setup database connections and database migrations. Query builder or plain queries 15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk() 16. Many ready to use web widgets and tools like menus, action tables, calendars, etc. 17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/) 18. Multiple plain PHP layouts, templates and partial templates. 19. Automatic javascript/css registering and including in the main layout from anywhere 20. Friendly with third-party code 21. Internationalisation and translations module by module in php arrays, string extraction tool 22. Error handling and logging
Performance RPS (requests per second) means how many requests an application written in a framework can process per second and APC stands for Alternative PHP Cache, a caching component used for increase of application performance (in comparison to the same metering with this extension turned off). http://www.yiiframework.com/performance/
Core Application Components Yii predefines a set of core application components to provide features common among Web applications. For example, the request component is used to resolve user requests and provide information such as URL, cookies. By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect. Below we list the core components that are pre-declared by CWebApplication. assetManager: CAssetManager - manages the publishing of private asset files. authManager: CAuthManager - manages role-based access control (RBAC). cache: CCache - provides data caching functionality. clientScript: CClientScript - manages client scripts (javascripts and CSS). coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework. db: CDbConnection - provides the database connection. errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions. messages: CPhpMessageSource - provides translated messaged used by Yii application. request: CHttpRequest - provides information related with user requests. securityManager: CSecurityManager - provides security-related services, such as hashing, encryption. session: CHttpSession - provides session-related functionalities. statePersister: CStatePersister - provides global state persistence method. urlManager: CUrlManager - provides URL parsing and creation functionality. user: CWebUser - represents the identity information of the current user. themeManager: CThemeManager - manages themes. and others...
Application life cycle The following diagram shows a typical workflow of The following diagram shows the static structure of an Yii an Yii application when it is handling a user app: request: 1. Pre-initializes the application with CApplication::preinit(); 2. Set up class autoloader and error handling; 3. Register core application components; 4. Load application configuration; 5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components; 6. Raise onBeginRequest event; 7. Process the user request: - Resolve the user request; - Create controller; - Run controller; http://www.hooto.com/media/image/view/?id=919&style=full
Authentication Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be?
Authorization Authorization verifies what you have the permissions you need to access an object. It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. ● Is user X authorized to access resource R? ● Is user X authorized to perform operation P? ● Is user X authorized to perform operation P on resource R?
Access Control Lists An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects
Role-Based Access Control Role-based access control (RBAC) is an approach to restricting system access to authorized users. Three primary rules are defined for RBAC: 1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
Role-Based Access Control When defining an RBAC model, the following conventions are useful: ● Subject = A person or automated agent ● Role = Job function or title which defines an authority level ● Permissions = An approval of a mode of access to a resource ● Session = A mapping involving S, R and/or P ● Subject Assignment ● Permission Assignment ● Partially ordered Role Hierarchy
Steps to secure an Yii Application 1. Defining Identity Class 2. Login and Logout 3. Cookie-based Login 4. Access Control Filter 5. Handling Authorization Result 6. Role-Based Access Control 7. Configuring Authorization Manager 8. Defining Authorization Hierarchy 9. Using Business Rules
Authenticate method in Yii Application public function authenticate() { $record=User::model()->findByAttributes(array('username'=>$this->username)); if($record===null) $this->errorCode=self::ERROR_USERNAME_INVALID; else if($record->password!==crypt($this->password,$record->password)) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->_id=$record->id; $this->setState('title', $record->title); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }
API, documentation and community The Definitive http://www.yiiframework.com/doc/guide/ Guide to Yii GitHub https://github.com/yiisoft/yii/commits/master Forum http://www.yiiframework.com/forum/ Total Posts: 173,083 Total Members: 61,015 Active users at time of visit: 320 International treads: 20 Languages (incl. BG) IRC Channel http://www.yiiframework.com/chat/ Active users at time of visit: 90 Yii Books http://www.seesawlabs.com/yii-book http://yii.larryullman.com/toc.php http://yiicookbook.org/ http://packtlib.packtpub.com/library/9781847199584 IDE integrations Integrations with code completion, templates testing and debugging: NetBeans Eclipse PhpStorm Nusphere phpEd
Links Official website http://www.yiiframework.com/ Definitive Guide to Yii En/Ru http://yiiframework.ru/ Yii API and Class Reference http://www.yiiframework.com/doc/api/ Extensions Library (over 1k) http://www.yiiframework.com/extensions/ Yii General Forum (60k users) http://www.yiiframework.com/forum/ Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
References D.R. Kuhn (1998). "Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32. A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute. John Mitchell. "Access Control and Operating System Security" Michael Clarkson. "Access Control"
License and requirements Yii is an open source project released under the terms of the BSD License. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. ● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Requirement: PHP 5.1.0 or above Clevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed to become a state-of-the-art of the new generation of PHP framework. They advise: "If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production quality." Installation: Installation of Yii mainly involves the following three steps: 1. Download Yii Framework from yiiframework.com or github repo (newest) 2. Unpack the Yii release file to any directory. (ex. /opt/yii/) 3. Link your application with the framework source

More Related Content

PPT
Introduction to YII framework
byNaincy Gupta
 
PPTX
Threat hunting using notebook technologies
byAshwin Patil, GCIH, GCIA, GCFE
 
PPTX
artificial intelligence that covers frames
bypicnew83
 
PDF
Autopsy 3.0 - Open Source Digital Forensics Conference
byBasis Technology
 
PPTX
Internet of things security "Hardware Security"
byAhmed Mohamed Mahmoud
 
PDF
Symbolic Mathematics, Neural Networks in AI.pdf
byCS With Logic
 
PPTX
Cuckoo Search & Firefly Algorithms
byMustafa Salam
 
PPTX
Working principle of dda and bresenham line drawing explaination with example
byAashish Adhikari
 
Introduction to YII framework
byNaincy Gupta
 
Threat hunting using notebook technologies
byAshwin Patil, GCIH, GCIA, GCFE
 
artificial intelligence that covers frames
bypicnew83
 
Autopsy 3.0 - Open Source Digital Forensics Conference
byBasis Technology
 
Internet of things security "Hardware Security"
byAhmed Mohamed Mahmoud
 
Symbolic Mathematics, Neural Networks in AI.pdf
byCS With Logic
 
Cuckoo Search & Firefly Algorithms
byMustafa Salam
 
Working principle of dda and bresenham line drawing explaination with example
byAashish Adhikari
 

Viewers also liked

PPTX
Yii framework
byLeena Roja
 
PPTX
Computer forensic ppt
byPriya Manik
 
PPT
Netbeans IDE & Platform
byAatul Palandurkar
 
PPTX
heliodisplay
bykriticka sharma
 
PPTX
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
byHarsh Mathur
 
PDF
Intrusion in computing
byEduardo Cambinda
 
PPTX
Heliodisplay
byAbhay Nigam
 
PPTX
Cybersquatting
bylizzielith
 
PPTX
AirBar Sensor
bySukhbeer Singh
 
PPTX
Z force touch screen technology
bylokesh naidu
 
PPTX
Neonode's zForce Air Technology
byAshish Kumar
 
PDF
Collapse of angolan banking system copy
byEduardo Cambinda
 
PPTX
Spoof Text
byMagistra Dwinovia Indriani
 
PPTX
Open Source Software Concepts
byJITENDRA LENKA
 
PPTX
heliodisplay
byRashid VM
 
PPTX
Heliodisplay
byShruti Bhardwaj
 
PDF
What's behind facebook
byAjen 陳
 
PPTX
Network Security July 1
byJd Mercado
 
PPTX
Cyberpunk
byhidralisko
 
PPTX
CyberPunk
byFabio Silva
 
Yii framework
byLeena Roja
 
Computer forensic ppt
byPriya Manik
 
Netbeans IDE & Platform
byAatul Palandurkar
 
heliodisplay
bykriticka sharma
 
Informatics Practices Chapter 2 Open Source Software Concepts Class 12th
byHarsh Mathur
 
Intrusion in computing
byEduardo Cambinda
 
Heliodisplay
byAbhay Nigam
 
Cybersquatting
bylizzielith
 
AirBar Sensor
bySukhbeer Singh
 
Z force touch screen technology
bylokesh naidu
 
Neonode's zForce Air Technology
byAshish Kumar
 
Collapse of angolan banking system copy
byEduardo Cambinda
 
Spoof Text
byMagistra Dwinovia Indriani
 
Open Source Software Concepts
byJITENDRA LENKA
 
heliodisplay
byRashid VM
 
Heliodisplay
byShruti Bhardwaj
 
What's behind facebook
byAjen 陳
 
Network Security July 1
byJd Mercado
 
Cyberpunk
byhidralisko
 
CyberPunk
byFabio Silva
 

Similar to Yii Framework Security

PPTX
Yii2
byRajat Gupta
 
PPT
Yii php framework_honey
byHoneyson Joseph
 
PPTX
Yii2
byAndrii Lagovskiy
 
PDF
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
byyttrdhlsud173
 
PDF
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
bysadijagagean
 
PDF
Get things done with Yii - quickly build webapplications
byGiuliano Iacobelli
 
PDF
Introduce Yii
byzakieh alizadeh
 
PPTX
yii framework
byAkhil Kumar
 
PDF
Introduction Yii Framework
byTuan Nguyen
 
PPT
10 reasons to choose the yii framework
byjananya213
 
KEY
Yii Framework
byJason Ragsdale
 
ZIP
Fwdtechseminars
byPrânith Kumâr
 
PPTX
P H P Framework
byAnimesh Kumar
 
PPTX
Introduction to Yii & performance comparison with Drupal
bycadet018
 
PPSX
Yii framework
byMohammed Saqib
 
PPTX
yii1
byRajat Gupta
 
PPTX
Yii Development
byjananya213
 
PDF
Yii Framework in the RAD context + Mashup demo built on YII
byGeorge-Leonard Chetreanu
 
KEY
Yii Introduction
byJason Ragsdale
 
ODP
Yii Framework - Do we really need another php framework?
byJoachim Eckert
 
Yii2
byRajat Gupta
 
Yii php framework_honey
byHoneyson Joseph
 
Yii2
byAndrii Lagovskiy
 
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
byyttrdhlsud173
 
Web Application Development with Yii and PHP 2nd Revised ed. Edition Jeffrey ...
bysadijagagean
 
Get things done with Yii - quickly build webapplications
byGiuliano Iacobelli
 
Introduce Yii
byzakieh alizadeh
 
yii framework
byAkhil Kumar
 
Introduction Yii Framework
byTuan Nguyen
 
10 reasons to choose the yii framework
byjananya213
 
Yii Framework
byJason Ragsdale
 
Fwdtechseminars
byPrânith Kumâr
 
P H P Framework
byAnimesh Kumar
 
Introduction to Yii & performance comparison with Drupal
bycadet018
 
Yii framework
byMohammed Saqib
 
yii1
byRajat Gupta
 
Yii Development
byjananya213
 
Yii Framework in the RAD context + Mashup demo built on YII
byGeorge-Leonard Chetreanu
 
Yii Introduction
byJason Ragsdale
 
Yii Framework - Do we really need another php framework?
byJoachim Eckert
 

Recently uploaded

PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PPTX
Practical tips for keeping your C# code base clean
byDennis Doomen
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PPTX
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
PDF
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
PDF
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
PDF
OpenObserve as a replacement for Elasticsearch
byAlireza Kamrani
 
PDF
The new commer in Oracle memory architecture _Database Box).pdf
byAlireza Kamrani
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
Spec Driven Development with Kiro: Ensuring Quality and Traceability in the A...
byHaim Michael
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
Practical tips for keeping your C# code base clean
byDennis Doomen
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
Data Center Exit to Cloud _ Managed Datacenter Migration.pdf
byAstuteBusiness
 
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
OpenObserve as a replacement for Elasticsearch
byAlireza Kamrani
 
The new commer in Oracle memory architecture _Database Box).pdf
byAlireza Kamrani
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF Security Intelligence Platform | Cybersecurity Project by Ashish Patil
byAshishPatil495087
 

Yii Framework Security

  • 1.
    Application Security withYii Framework Authentication and Authorization Ilko Kacharov | [email protected]
  • 2.
    Advantages of theframework 1. Very good documentation and many examples 2. Yii community is growing rapidly, has many free extensions 3. Easy approach to develop modules and components 4. Model, Controller, Module code generation tool may be used with custom code templates. 5. Abstract(static) component/module access Yii::app()->getComponent('db'); Yii::app()->getModule('ocstats'); 6. It gives great power with strong code controlling, 100% true OOP framework, push-pull MVC 7. It is super fast because of the usage of autoloading functions 8. Easy configuration in php array, application may be started with different configs. 9. Easy to extend / customize, simple code structure 10. Yii Authentication API for multi-channel login, easy to extend, SOAP support 11. User Access Control using different schemes like RBAC, ACL 12. Web services and console applications can be build as easy as web apps. 13. Easy form creation and form validation (client and server side), built-in ajax support 14. Easy to setup database connections and database migrations. Query builder or plain queries 15. Easy to use CRUD functions (create,read,update,delete) Article::model()->findByPk() 16. Many ready to use web widgets and tools like menus, action tables, calendars, etc. 17. Integration with twitter bootstrap css layouts and js widgets (http://yii-booster.clevertech.biz/) 18. Multiple plain PHP layouts, templates and partial templates. 19. Automatic javascript/css registering and including in the main layout from anywhere 20. Friendly with third-party code 21. Internationalisation and translations module by module in php arrays, string extraction tool 22. Error handling and logging
  • 3.
    Performance RPS (requests persecond) means how many requests an application written in a framework can process per second and APC stands for Alternative PHP Cache, a caching component used for increase of application performance (in comparison to the same metering with this extension turned off). http://www.yiiframework.com/performance/
  • 4.
    Core Application Components Yiipredefines a set of core application components to provide features common among Web applications. For example, the request component is used to resolve user requests and provide information such as URL, cookies. By configuring the properties of these core components, we can change the default behaviors of Yii in nearly every aspect. Below we list the core components that are pre-declared by CWebApplication. assetManager: CAssetManager - manages the publishing of private asset files. authManager: CAuthManager - manages role-based access control (RBAC). cache: CCache - provides data caching functionality. clientScript: CClientScript - manages client scripts (javascripts and CSS). coreMessages: CPhpMessageSource - provides translated core messages used by Yii framework. db: CDbConnection - provides the database connection. errorHandler: CErrorHandler - handles uncaught PHP errors and exceptions. messages: CPhpMessageSource - provides translated messaged used by Yii application. request: CHttpRequest - provides information related with user requests. securityManager: CSecurityManager - provides security-related services, such as hashing, encryption. session: CHttpSession - provides session-related functionalities. statePersister: CStatePersister - provides global state persistence method. urlManager: CUrlManager - provides URL parsing and creation functionality. user: CWebUser - represents the identity information of the current user. themeManager: CThemeManager - manages themes. and others...
  • 5.
    Application life cycle The following diagram shows a typical workflow of The following diagram shows the static structure of an Yii an Yii application when it is handling a user app: request: 1. Pre-initializes the application with CApplication::preinit(); 2. Set up class autoloader and error handling; 3. Register core application components; 4. Load application configuration; 5. Initialize the application with CApplication::init() - Register application behaviors; - Load static application components; 6. Raise onBeginRequest event; 7. Process the user request: - Resolve the user request; - Create controller; - Run controller; http://www.hooto.com/media/image/view/?id=919&style=full
  • 6.
    Authentication Authentication isthe mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions: Who is the user? Is the user really who he/she represents himself to be?
  • 7.
    Authorization Authorization verifies whatyou have the permissions you need to access an object. It is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. ● Is user X authorized to access resource R? ● Is user X authorized to perform operation P? ● Is user X authorized to perform operation P on resource R?
  • 8.
    Access Control Lists Anaccess control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects
  • 9.
    Role-Based Access Control Role-based access control (RBAC) is an approach to restricting system access to authorized users. Three primary rules are defined for RBAC: 1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.
  • 10.
    Role-Based Access Control Whendefining an RBAC model, the following conventions are useful: ● Subject = A person or automated agent ● Role = Job function or title which defines an authority level ● Permissions = An approval of a mode of access to a resource ● Session = A mapping involving S, R and/or P ● Subject Assignment ● Permission Assignment ● Partially ordered Role Hierarchy
  • 11.
    Steps to securean Yii Application 1. Defining Identity Class 2. Login and Logout 3. Cookie-based Login 4. Access Control Filter 5. Handling Authorization Result 6. Role-Based Access Control 7. Configuring Authorization Manager 8. Defining Authorization Hierarchy 9. Using Business Rules
  • 12.
    Authenticate method inYii Application public function authenticate() { $record=User::model()->findByAttributes(array('username'=>$this->username)); if($record===null) $this->errorCode=self::ERROR_USERNAME_INVALID; else if($record->password!==crypt($this->password,$record->password)) $this->errorCode=self::ERROR_PASSWORD_INVALID; else { $this->_id=$record->id; $this->setState('title', $record->title); $this->errorCode=self::ERROR_NONE; } return !$this->errorCode; }
  • 13.
    API, documentation andcommunity The Definitive http://www.yiiframework.com/doc/guide/ Guide to Yii GitHub https://github.com/yiisoft/yii/commits/master Forum http://www.yiiframework.com/forum/ Total Posts: 173,083 Total Members: 61,015 Active users at time of visit: 320 International treads: 20 Languages (incl. BG) IRC Channel http://www.yiiframework.com/chat/ Active users at time of visit: 90 Yii Books http://www.seesawlabs.com/yii-book http://yii.larryullman.com/toc.php http://yiicookbook.org/ http://packtlib.packtpub.com/library/9781847199584 IDE integrations Integrations with code completion, templates testing and debugging: NetBeans Eclipse PhpStorm Nusphere phpEd
  • 14.
    Links Official website http://www.yiiframework.com/ Definitive Guide to Yii En/Ru http://yiiframework.ru/ Yii API and Class Reference http://www.yiiframework.com/doc/api/ Extensions Library (over 1k) http://www.yiiframework.com/extensions/ Yii General Forum (60k users) http://www.yiiframework.com/forum/ Yii Cheat sheet (quick reference) http://static.yiiframework.com/files/yii-1.0-cheatsheet.pdf Yii Related Sites http://www.yiiframework.com/wiki/98/yii-related-sites/
  • 15.
    References D.R. Kuhn (1998)."Role Based Access Control on MLS Systems Without Kernel Changes" (PDF). Third ACM Workshop on Role Based Access Control. pp. 25–32. A.C. O'Connor and R.J. Loomis (December 2010) (PDF). Economic Analysis of Role-Based Access Control. Research Triangle Institute. John Mitchell. "Access Control and Operating System Security" Michael Clarkson. "Access Control"
  • 16.
    License and requirements Yiiis an open source project released under the terms of the BSD License. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: ● Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. ● Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. ● Neither the name of Yii Software LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Requirement: PHP 5.1.0 or above Clevertech are currently actively developing their next major version 2.0. Yii 2.0 will be rebuilt on top of PHP 5.3.0+ and is aimed to become a state-of-the-art of the new generation of PHP framework. They advise: "If you have a new project to develop on Yii, do not wait for 2.0 as it will still take considerable time to reach the production quality." Installation: Installation of Yii mainly involves the following three steps: 1. Download Yii Framework from yiiframework.com or github repo (newest) 2. Unpack the Yii release file to any directory. (ex. /opt/yii/) 3. Link your application with the framework source