I’m looking for a way how to set up a way that allows users to only manage their own data.
For example, every user has projects. Every autheticated user is allowed to update projects, but only the ones that belong to him, not other user’s projects (by calling a URL with a foreign project ID).
Of course I could implement a manual check in the actionUpdate method, but I want to know if there’s a solution already implemented in Yii.
hi dear, you can set the role for users, like…in authenticate function of UserIdentity Class
public function authenticate()
{
$user = User::model()->findByAttributes(array('email'=>$this->username));
if ($user===null) { // No user found!
$this->errorCode=self::ERROR_USERNAME_INVALID;
} else if ($user->password !== $this->password ) {
$this->errorCode=self::ERROR_PASSWORD_INVALID;
} else { // Okay!
$this->errorCode=self::ERROR_NONE;
// Store the role in a session:
$this->setState('roles', $user->role);
$this->_id = $user->id;
}
return !$this->errorCode;
}
Then for perticular function in controller u can set permission like…in accessRule function
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('manage_post','admin'),
'roles'=>array('role_name1',),
),
I looks like you can control which users may access a controller action. But if the user is allowed to access the action, how do you filter the records - allowing him to only access his own records (projects)?
I might also be using a modified version of the default search() method with implemented user_id criteria in the future if defaultScopes turns out to be troublesome.