Authorizationproblem

Yii 1.1 General Discussion
1

Hey

the users of my website may create their own elements (e.g. teams, players). These elements have IDs. For example if the user want to delete an player of his team:


<?php echo CHtml::link('Delete', '#', array('submit'=>array('trip/deleteplayer', 'teamid'=>$team->id, 'playerid'=>$player->id)')

Now is the question how can I check that the user is the creator or owner of the team.

My approach was something like this:


Class WebUser extends CWebUser{


function getIsOwner($teamid){

  return ( $this->user->teams->findByPK($teamid));

}



class TeamController extends Controller

{

   ...accessRules()

   ...

      array('allow', 

		'actions'=>array('admin','delete'),

                'expression'=>'$user->isOwner($this->id'),

   ...

}

I guess that this approach is pretty wrong?!

Thx!

2

Hi Franker

[size=“2”]Well, first of all, I think [/size][size=“2”] $this in getIsOwner() function will be CAccessRules object, so you won’t be able to get id from it.[/size]

[size=“2”]Second, you should use correct function name if you won’t to call it and to pass argument. You have isOwner() instead of getIsOwner() at the moment.[/size]

[size="2"]Also please read [/size]this thread[size="2"], I think it may give you some interesting ideas regarding your implementation.[/size]

[size=“2”]Am I clear you don’t use RBAC and owner ID is stored together with each team/player record?[/size]

3

Hey,

I’m still not sure how to solve my problem. First of all, I have to add a owner id column to every table to check whether the User is the owner, right? (Team, Player etc.)

Is it easier to solve my problem with the RBAC-concept? Has the Yii-Rights extension a solution?

I examined the WACF-Extension but I’m not really understand the concept and I don’t want to use if it’s not clear for me.

I’m suprised that YII has no integrated solution.

4

Problem solved with RCAB. THX!