Can Yii2 RBAC permissions have multiple rules?

Question

It's my 1st time i'm working with Yii2's RBAC system. I used http://www.yiiframework.com/doc-2.0/guide-security-authorization.html to get myself familiar with topic. As i needed some kind of administration for roles / permissions, i installed this extension: https://github.com/mdmsoft/yii2-admin

I'm working on application that let's users submit articles. There are two kind of users, Administrators, and normal Users.

I created 2 roles for that purpose. Admin role and User role.

Users (both admins and users) must have ability to edit articles. Admins should be able to edit any article, while users can edit only their own articles.

For that i created 2 permissions. "Edit" permission and "EditOwn" permission. Than i created "IsOwner" rule and attached it to "EditOwn" permission.

I assigned "Edit" permission to Admin role, and "EditOwn" to User role and everything works great.

Now i'd like to create "lock" status for each article. If Article is locked, user can not edit it even if it's he's own article. Admins should be able to edit it even if it's locked.

For that i created new rule "IsLocked" but i dont know how to add it to "EditOwn" permission. I don't know is it even possible to have 2 rules attached to one permission?

EDIT: Right now, i have this "dealt with" in way that i have additional permission "EditOwnIsLocked" to which i attached "IsLocked" rule which is than child of "EditOwn", which is child of "Edit". This works, but it feels dirty and plain and simple wrong.

Answer 1

As it turns out, there is (for now) no way to attach multiple rules to a permission.

You can deal with need of multiple rules in way i do right now, by creating additional permission and attach rule to it and than make child<->parent connection, or you can edit your rule to check for all situations (in my case to check for IsParent and IsLocked).

Those solutions arn't perfect but it's what it is for now. First solution spawns unnecessary permissions, and clutter your permission list (in case you are using yii2-admin or similar extensions), but keeps your rules clean, and second solution keeps your permission list clean but makes you retype same code in multiple rules which is kinda oposit of what OOP stands for.