Hi,
This is a long post, but the question is very simple. How to prevent users from updating fields there not allow to?
I’m using the accessRules and user Roles, works awesome.
Now I wonder, I got two forms using the same model. One form for the admin, one for the user.
Simplefied: in the user form I got: title and description.
When saved, the actionUserUpdate is used like this:
public function actionUserUpdate($id)
{
$model=$this->loadModel($id);
if(do some owner checks here)
{
throw new CHttpException(403,'No access');
}
else
{
if(isset($_POST['ModelTest']))
{
$model->attributes=$_POST['ModelTest'];
if($model->save())
{
// etc...
But in the admin form I also got the field ‘extra_info’. And the admin is using the actionAdminUpdate action, all fine.
But if a user is a smartass and modify the html of the form, and if he guess the right column ‘extra_info’ and make an html input in the code, then it would be stored if hey submitted it right?
How do you handle this? Or is it the only way to set only the allowed columns like this:
public function actionUserUpdate($id)
{
$model=$this->loadModel($id);
if(do some owner checks here)
{
throw new CHttpException(403,'No access');
}
else
{
if(isset($_POST['ModelTest']))
{
$model->title=$_POST['ModelTest']['title'];
$model->description=$_POST['ModelTest']['description'];
if($model->save())
{
// etc...
Of course this works, but if you have like 14 columns, it looks kinda dirty to me.
What is a good and secure way to handle this?