Are BizRules (Business Rules) in RBAC really safe?

The idea of BizRules in RBAC (Role Based Access Control) makes me feel sick. It is basically a way to define a script to run against data during authorization.

For example, Yii framework supports it: http://www.yiiframework.com/doc/api/1.1/CAuthManager#createRole-detail

public CAuthItem createRole(string $name, string $description='', string $bizRule=NULL, mixed $data=NULL)

Here's the source code for executing a business rule:

    /**
     * Execute开发者_StackOverflow中文版s the specified business rule.
     * @param string $bizRule the business rule to be executed.
     * @param array $params parameters passed to {@link IAuthManager::checkAccess}.
     * @param mixed $data additional data associated with the authorization item or assignment.
     * @return boolean whether the business rule returns true.
     * If the business rule is empty, it will still return true.
     */
    public function executeBizRule($bizRule,$params,$data)
    {
            return $bizRule==='' || $bizRule===null || ($this->showErrors ? eval($bizRule)!=0 : @eval($bizRule)!=0);
    }

So, you can do things like:

    // Assume this bizRule: $bizRule='return Yii::app()->user->id==$params["post"]->authID;';
    Yii::app()->user->checkAccess('createUser', array('post' => $post));

It basically evals the bizRule having the $params set to the given array in its context.

I don't like those business rules in terms of security. Is there a better way of doing it?

---

Maybe it will help somebody, if you have php 5.3 I think you can use LambdaFunctions

$bizRule = function ($param) { return $param[1] = $param[2]};