accessRoles for a user's personal data?

I have been perusing the forums for a while, reading the wiki, as well as the guide/examples/ you know it.

I can seem to wrap my head around this concept, without going completely out of my way and revamping my site to incorporate the yii-user’s extension.

I currently want to have users be able to register an account. Create lists, then manage their own lists. I do not want them to be able to perform workaround and be able to access information that they should not have permission to edit.

I do apologize as this is probably one of the simpler things in Yii, but I appreciate your patience.

I have tried setting the ‘expression’ in Access Roles, still with no success, including something along with the Lines of ‘expression’=>(‘Yii::app()->user-id == $_GET[‘id’]’) and every facsimile.

Any help would be greatly appreciated since I love Yii, and I hate breaking things when I find myself stumbling with it’s methods.




if you are not trying to stop the user from executing some action, but only from editing data he is not allowed to edit then you don’t have to use access control filter. In your action just check if that user can edit that piece of information. That is all.

If you want to allow user with id=1 in $_GET edit his own list and nothing more then do some checking:



    //can edit his own list

    //or even:





Remember also that in ‘expression’ param boolean value should be returned:

'expression'=>"return Yii::app()->user->id == $_GET['id'];"

Well, what I’d like to do, is when actionIndex() is called for a controller, I would only like the user’s relevant data to be displayed to him. Not sure in that cause if there is a $_GET action being passed down.

public function actionIndex($id)


		$dataProvider=new CActiveDataProvider('Lists');





is there more needed here?

Look into scopes - its basically a filter for FIND() methods.

You can set a scope called ownRecords and within the scope you set a condition that records returned have the userID of the current logged in user (via Yii::App()->user->id) - this assumes that the table or related tables can be limited by userId.

Bear in mind that this does not prevent a user from submitting a link like this:


If they are not the owner of 1 they will still be able to work around your restriction. You need accesscontrol or a manual check in each controller action to make sure they can’t ‘use’ that action.

Since I am trying to prevent the later (/post/edit/1) - Would it be too much to ask about how to go ahead and test to see if the user has the correct permission? Scopes don’t seem to be the answer since the later seems to work around it very directly.

My table is something basic like

id user_id list_id

Yii::app()->user->id should only be able to access a list_id where there is a match in user_id.

I am not very comfortable with the MVC concepts yet, and would normally handle this with function upon function with my poorly developed habits, which I am trying to break. Again, I apologize for not getting this probably very basic concept, so thanks for your patience.

In that case you only have to select records from db which are owned by the user.

With CActiveDataProvider you can pass model instance with all your scopes already applied or use criteria:

//applying proper scopes


$dataProvider=new CActiveDataProvider($lists);

//or using criteria

$dataProvider=new CActiveDataProvider('Lists', array(





Read this topic about scopes


Thanks again for the help, and the scopes concept is definitely going to help me as I further developer this app. Still struggling a bit however, I was able to solve my problem using what seems overly easy to me and as a result, may be insecure and not how to correctly deal with this.

In my ListsController, inside the [u]loadModel/u function…

I added an exception to the function, originally:

public function loadModel($id)




		throw new CHttpException(404,'The requested page does not exist.');

	return $model;



public function loadModel($id)



	if($model->user_id != Yii::app()->user->id)

		throw new CHttpException(404,'You do not have permission to view this page.');


		throw new CHttpException(404,'The requested page does not exist.');

	return $model;


Was just wondering, that if before I move on, this will cause more problems down the line that anyone might perceive?