Don't allow save certain fields on scenario

How can I disable saving certain fields of my model when using scenario?

If I use attributes:

$form->attributes=$_POST[‘User’];

Then I can with Firebug add extra input fields in form to submit data, that should be unchangeable by some user group, for example:

<input type="text" id="User_thisisunchangeable" name="User[unchangeable]">

and in submit $form->attributes=$_POST[‘User’] will save this atribure too.

Of course I can define all fields in controller which I want to save:

$form->field1=$_POST[‘User’][‘field1’];

$form->field1=$_POST[‘User’][‘field2’];

etc

If there is possible to define in Model scenario fields that should or shouldn’t be saved on model save() method?

You can just use a hidden field:


        <?php echo $form->hiddenField($model, 'un_changeable', array('value' => $model->un_changeable)); ?>

But I don’t want save this field. If I just remove input field from my form, there is possible to change my html form and submit to save this parameter

Not if you use CSRF protection - which you should be using anyway.

However, you can create a scenario with the unchangeable field, and set that as the current scenario for when you want to change it.

you may need use the "unsafe" validate rule : unsafe validator

:D not sure if this is the final way

Yes, but then I should define every field in controller which I want to save and it is extra code in controller and one scenario form could be in multiple controllers. Because of that I want to define in scenario which field could be saved and continue using $form->attributes=$_POST[‘User’];

CSRF does not protect you against form tampering, so itpg is correct and this is a huge security hole if left like this.

May be "unsafe" validator in conjunction with CModel::getSafeAttributeNames will help you ?

en … may be you should design your own solution , it’s not too hard to mimic the

CActiveRecord::setAttributes() , some pseudocode:





      protected function myMassiveAssignment($model,array $attrs){

            $userGroupPerms['group1'] = array(

                   'attr1','attr4','attrx'

             );

             $userGroupPerms['group2'] = array(

                   'attr1','attr2','attrx','attr9'

             );  //  ....  these can be hard code  or from another method or even from you db table


            $attributeNames = $modle->attributeNames();

            

            $userGroup = Yii::app()->user->getGroupName(); 

            

            if(isset($userGroupPerms[$userGroup])){

                  /*  just use loop logic to assign the attributes which exist in $userGroupPerms[$userGroup] , refer to the

                  http://www.yiiframework.com/doc/api/1.1/CModel#setAttributes-detail

               */

                  

            }else{

                  //deny or allow all

            }


    }        


  

just for thinking , if you can not find any existing solution you must settle your owner way