current user access rules

Dear all,

I am a new Yii user, I have started using Yii 1.1.6.

Since I have read the OWASP top ten vulnerabilities, I concerned about the security of web applications. I started building a simple application to prevent those provided vulnerabilities from OWASP top ten. I could manage the SQL injecten, broken authentication and session management, and XSS vulnerabilities. I am trying to protect my Yii simple application against insecure direct object references flaws.

What I actually want to do is, when a user logs in, he/she should be able to view only his/her profile page. Right now if a user logs in, the user can create, update, view all user as well as the profile of each user. How can I control this using access rules method? for example, if I change the URL: framework/yii/index.php/users/12 to framework/yii/index.php/users/14, it will display the other user profile as well.

I am not even sure whether I can control it with access rules. I hope I could explain properly.

any help is appreciated.

Thank you.

You may het logged in user id using Yii::app()->user->id and tahn in your action just check that

if($profile->user_id == Yii::app()->user->id)

// view/edit profile


// send him to either 404 page with $this->redirect("404page") or show read only profile of user.

Or if you must want to do it using access rules than may use expression in access rule


or try something like

array(‘allow’, // allow authenticated user to perform ‘create’ and ‘update’ actions



// ‘expression’=>’$user->isAdmin() || Yii::app()->user->id == Profile::model()->findByPk(Yii::app()->getRequest()->getPost(“item_id”))->user_id

// || Yii::app()->user->id == Profile::model()->findByPk(Yii::app()->getRequest()->getQuery(“id”))->user_id;’))’


Thanks Jawwad Ahmed, I used Yii::app()->user->id to accomplish my demands.

Glad to know that helps u.

welcome mate, must do a try to expression also, u gona love Yii.