Authorization - How To Allow User To Manage His Items Only

Hey folks,

I’m looking for a way how to set up a way that allows users to only manage their own data.

For example, every user has projects. Every autheticated user is allowed to update projects, but only the ones that belong to him, not other user’s projects (by calling a URL with a foreign project ID).

Of course I could implement a manual check in the actionUpdate method, but I want to know if there’s a solution already implemented in Yii.

hi dear, you can set the role for users, like…in authenticate function of UserIdentity Class

public function authenticate()


		$user = User::model()->findByAttributes(array('email'=>$this->username));

		if ($user===null) { // No user found!


		} else if ($user->password !== $this->password ) {


		} else { // Okay!


			// Store the role in a session:

			$this->setState('roles', $user->role);


		  	$this->_id = $user->id;



		return !$this->errorCode;


Then for perticular function in controller u can set permission like…in accessRule function

array('allow', // allow admin user to perform 'admin' and 'delete' actions




I hope this will help…thanks

Hi Mannu

Could you please explain more about your example.

I looks like you can control which users may access a controller action. But if the user is allowed to access the action, how do you filter the records - allowing him to only access his own records (projects)?

Assume you have a ‘owner’ attribute/column in your model, which is set to Yii::app()->user->id on beforeSave().

Add a defaultScope to your model:

public function defaultScope()


        return array(




Hi Joblo

That is what I do as well. I just wondered if there are any other ways.

Why looking for another way?

Maybe you have to check for the user ‘admin’ in the defaultScope() and return an empty array if the adminuser should see all records.

I just though Mannu was using another way, because he did not describe how he filters the records.


hi for filtering record just modify your query in that particular model…like as user_login_id==something

Thanks, this is what I am using:

public function defaultScope()


    $t = $this->getTableAlias(false,false);

    if(! Yii::app()->user->isAdmin)


        return array(

            'condition'=>"$t.user_id = :user_id",

            'params'=>array(':user_id' => Yii::app()->user->id),



    else return array();


I might also be using a modified version of the default search() method with implemented user_id criteria in the future if defaultScopes turns out to be troublesome.

Thanks for the help guys :)

in model you can use conditions and u can write separate queries for each user type…like u can check

 if(Yii::app()->user->getState('roles') ==="something")  { 



        	//query 2