Fixes #5435: Added extra checks to `yii\rbac\DbManager` to prevent database…

framework/CHANGELOG.md

@@ -15,6 +15,7 @@ Yii Framework 2 Change Log
 - Bug #5379: `Module::afterAction()` was called even when `beforeAction()` returned false (cebe)
 - Bug #5423: `yii\behaviors\Cors` causes "undefined index" error when its `cors` is configured (qiangxue) 
 - Bug #5424: `Html::addCssStyle()` wasn't correctly setting style passed in array (kartik-v, samdark)
+- Bug #5435: Added extra checks to `yii\rbac\DbManager` to prevent database exceptions when `$userId` is empty (samdark) 
 - Bug: Date and time formatting now assumes UTC as the timezone for input dates unless a timezone is explicitly given (cebe)
 - Enh #4040: Added `$viewFile` and `$params` to the `EVENT_BEFORE_RENDER` and `EVENT_AFTER_RENDER` events for `View` (qiangxue) 
 - Enh #4275: Added `removeChildren()` to `yii\rbac\ManagerInterface` and implementations (samdark)

framework/rbac/DbManager.php

@@ -342,6 +342,10 @@ class DbManager extends BaseManager
      */
     public function getRolesByUser($userId)
     {
+        if (empty($userId)) {
+            return [];
+        }
+
         $query = (new Query)->select('b.*')
             ->from(['a' => $this->assignmentTable, 'b' => $this->itemTable])
             ->where('a.item_name=b.name')
@@ -381,6 +385,10 @@ class DbManager extends BaseManager
      */
     public function getPermissionsByUser($userId)
     {
+        if (empty($userId)) {
+            return [];
+        }
+
         $query = (new Query)->select('item_name')
             ->from($this->assignmentTable)
             ->where(['user_id' => (string)$userId]);
@@ -469,6 +477,10 @@ class DbManager extends BaseManager
      */
     public function getAssignment($roleName, $userId)
     {
+        if (empty($userId)) {
+            return null;
+        }
+
         $row = (new Query)->from($this->assignmentTable)
             ->where(['user_id' => (string)$userId, 'item_name' => $roleName])
             ->one($this->db);
@@ -489,6 +501,10 @@ class DbManager extends BaseManager
      */
     public function getAssignments($userId)
     {
+        if (empty($userId)) {
+            return [];
+        }
+
         $query = (new Query)
             ->from($this->assignmentTable)
             ->where(['user_id' => (string)$userId]);
@@ -623,6 +639,10 @@ class DbManager extends BaseManager
      */
     public function revoke($role, $userId)
     {
+        if (empty($userId)) {
+            return false;
+        }
+
         return $this->db->createCommand()
             ->delete($this->assignmentTable, ['user_id' => (string)$userId, 'item_name' => $role->name])
             ->execute() > 0;
@@ -633,6 +653,10 @@ class DbManager extends BaseManager
      */
     public function revokeAll($userId)
     {
+        if (empty($userId)) {
+            return false;
+        }
+
         return $this->db->createCommand()
             ->delete($this->assignmentTable, ['user_id' => (string)$userId])
             ->execute() > 0;