Accessing To The View Through Url Problem!

So I have table file,

file(id,name,…, department_id).

I need to filter the result by department of the current user, so he can see only the files belong to his department.

in File.php

 $criteria->compare('department_id', $user_department_id, true);

This works fine, in view/file/index.php

but I still can access to all files from the URL, all what I need is to write the file ID, in the URL




What is the best way to fix this?

Thank you

Are the files actually in the web directory or are you serving them in an action?

Well the files, are in the web directory, but the problem is not about this.

I have a view page of every file, where you can see the file details:name, uploaded by, extension, size, note, and a download button etc…

and to access to this ‘view file’ page, you need normally to click on a file in the GRIDVIEW(witch is filtred by department_id) but my problem is to access directly to the ‘view file’ page.

I don’t think I fully understand, but if you’re using an action, you can restrict access based on the logged in user’s information. Something like the following would probably work fine:

    $userDepartmentId = /* get user department ID here */;

    $file = File::model()->findByPk($id);

    if ($file === null)

        throw new CHttpException(404, 'File not found');

    if ($file->department_id !== $userDepartmentId)

        throw new CHttpException(403, 'Forbidden');

    /* send file here */

You can call compare multiple times, it will be added to the criteria.

$criteria = new CDbCriteria();

$criteria->compare('department_id', $user_department_id, true);

$criteria->compare('id', $id, true);

$file = File::model()->find($criteria);

if( ! isset( $file ) ) {

  // file not found for this department

} else {

  // file found


you have to serve the files thru php in order restrict access. just compare the id and throw an exception just like @Keith mentioned but if you rewriting urls its likely apaches/nginx serving the files without hitting that action

hi there,

Yes ,I am using an action to load the model, and to restrict the access there as @Keith has mentioned, is good way to do it.

Thank you