Don't allow save certain fields on scenario

How can I disable saving certain fields of my model when using scenario?

If I use attributes:


Then I can with Firebug add extra input fields in form to submit data, that should be unchangeable by some user group, for example:

<input type="text" id="User_thisisunchangeable" name="User[unchangeable]">

and in submit $form->attributes=$_POST[‘User’] will save this atribure too.

Of course I can define all fields in controller which I want to save:




If there is possible to define in Model scenario fields that should or shouldn’t be saved on model save() method?

You can just use a hidden field:

        <?php echo $form->hiddenField($model, 'un_changeable', array('value' => $model->un_changeable)); ?>

But I don’t want save this field. If I just remove input field from my form, there is possible to change my html form and submit to save this parameter

Not if you use CSRF protection - which you should be using anyway.

However, you can create a scenario with the unchangeable field, and set that as the current scenario for when you want to change it.

you may need use the "unsafe" validate rule : unsafe validator

:D not sure if this is the final way

Yes, but then I should define every field in controller which I want to save and it is extra code in controller and one scenario form could be in multiple controllers. Because of that I want to define in scenario which field could be saved and continue using $form->attributes=$_POST[‘User’];

CSRF does not protect you against form tampering, so itpg is correct and this is a huge security hole if left like this.

May be "unsafe" validator in conjunction with CModel::getSafeAttributeNames will help you ?

en … may be you should design your own solution , it’s not too hard to mimic the

CActiveRecord::setAttributes() , some pseudocode:

      protected function myMassiveAssignment($model,array $attrs){

            $userGroupPerms['group1'] = array(



             $userGroupPerms['group2'] = array(


             );  //  ....  these can be hard code  or from another method or even from you db table

            $attributeNames = $modle->attributeNames();


            $userGroup = Yii::app()->user->getGroupName(); 



                  /*  just use loop logic to assign the attributes which exist in $userGroupPerms[$userGroup] , refer to the





                  //deny or allow all




just for thinking , if you can not find any existing solution you must settle your owner way