Okay, I have figured out how I can prevent users who are not the owners of some specific project to do delete and update functionality. Example is given in the book and I have used it like this:
In update and delete actions in Project controller I have placed this code
$project = $this->loadModel($id);
if(!Yii::app()->user->checkAccess('owner', array('project'=>$project)))
{
throw new CHttpException(403,'You are not authorized to perform this action.');
}
Now I am stuck with something else. I would like to prevent readers from updating, creating and deleting Issues of the Projects. I tried with the same approach like with the projects but it does not work.
Also it would be nice to make sure that users can update only issues they posted. Unfortunately this is not the case now. Anyone can delete and update everyone’s issues.
Do anyone have any idea how we can do this ?
EDIT: This is how I display the menu:
if(Yii::app()->user->checkAccess('owner',array('project'=>$model)))
{
$this->menu = array(
array('label'=>'List Project', 'url'=>array('index')),
array('label'=>'Create Project', 'url'=>array('create')),
array('label'=>'Update Project', 'url'=>array('update', 'id'=>$model->id)),
array('label'=>'Delete Project', 'url'=>'#', 'linkOptions'=>array('submit'=>array('delete','id'=>$model->id),'confirm'=>'Are you sure you want to delete this item?')),
array('label'=>'Manage Project', 'url'=>array('admin')),
array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),
array('label'=>'Add User To Project', 'url'=>array('adduser', 'id'=>$model->id)),
);
}
elseif(Yii::app()->user->checkAccess('member',array('project'=>$model)))
{
$this->menu = array(
array('label'=>'List Project', 'url'=>array('index')),
array('label'=>'Create Project', 'url'=>array('create')),
array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),
);
}
else
{
$this->menu = array(
array('label'=>'List Project', 'url'=>array('index')),
array('label'=>'Create Project', 'url'=>array('create')),
);
}
But the problem is if reader try to access the create issue form by typing the direct link like http://localhost/trackstar/index.php?r=issue/create&pid=3, he will be able to create issue and he shouldn’t.
What I have to do to prevent this ?