Accessing To The View Through Url Problem!

m.dhouibi · August 6, 2014, 1:51pm

So I have table file,

file(id,name,…, department_id).

I need to filter the result by department of the current user, so he can see only the files belong to his department.

in File.php


 $criteria->compare('department_id', $user_department_id, true);

This works fine, in view/file/index.php

but I still can access to all files from the URL, all what I need is to write the file ID, in the URL

ndex.php/file/77

ndex.php/file/77878

ndex.php/file/7774

…

What is the best way to fix this?

Thank you

Keith · August 6, 2014, 3:05pm

Are the files actually in the web directory or are you serving them in an action?

m.dhouibi · August 6, 2014, 4:03pm

Well the files, are in the web directory, but the problem is not about this.

I have a view page of every file, where you can see the file details:name, uploaded by, extension, size, note, and a download button etc…

and to access to this ‘view file’ page, you need normally to click on a file in the GRIDVIEW(witch is filtred by department_id) but my problem is to access directly to the ‘view file’ page.

Keith · August 6, 2014, 5:39pm

I don’t think I fully understand, but if you’re using an action, you can restrict access based on the logged in user’s information. Something like the following would probably work fine:




    $userDepartmentId = /* get user department ID here */;

    $file = File::model()->findByPk($id);


    if ($file === null)

        throw new CHttpException(404, 'File not found');


    if ($file->department_id !== $userDepartmentId)

        throw new CHttpException(403, 'Forbidden');


    /* send file here */

martijnjonkers · August 6, 2014, 8:23pm

You can call compare multiple times, it will be added to the criteria.


$criteria = new CDbCriteria();

$criteria->compare('department_id', $user_department_id, true);

$criteria->compare('id', $id, true);

$file = File::model()->find($criteria);

if( ! isset( $file ) ) {

  // file not found for this department

} else {

  // file found

}

alirz23 · August 7, 2014, 6:08am

you have to serve the files thru php in order restrict access. just compare the id and throw an exception just like @Keith mentioned but if you rewriting urls its likely apaches/nginx serving the files without hitting that action

m.dhouibi · August 7, 2014, 9:50am

hi there,

Yes ,I am using an action to load the model, and to restrict the access there as @Keith has mentioned, is good way to do it.

Thank you

Solved.