Still learning here about Yii, I have some questions.
I’m trying to make an User’s profile edit in my Yii app, and I’m planning to make use of the CRUD op’s generated by Gii code generator.
My questions are, basically:
I’ve seen that an URL like http://mysite/index.php/user/update/3 would render a view of the user with id=3, ok. (obvious). What Im trying to do is to just use an URL like mysite/index.php/user/update. An URL like mysite/index.php/user/update/{username} (where {username} is the actual name of the User) would be ok to me as well. How could I do this?
What I do not want is an authenticated user (and obviously a non authenticated one neither) to be able to see other’s profiles or update them. Now, if I enter http://mysite/index.php/user/update/3, as I mentioned, I see user# 3 profile, but if I enter http://mysite/index.php/user/update/4 i see that user’s profile and I can edit/update. How could I restraint the access to others information? I do not want an user to be able to view the list of all the users, etc…
In short:
I dont want the current user to be able to render http://mysite/index.php/user (this would cause the rendering of the list of all users)
I want the current user (id 3) to be able to render mysite/index.php/user/update/3 but not mysite/index.php/user/update/4 (other user id)
What is the easiest way and simplest way to do it? I don’t mind “unelegant” solutions as I’m in a hurry with this.
Thank you very much in advance, I’m into some kinda love/hate relationship with Yii. Hope the love may triumph though.
You should restrict access to all actions except for the ones that allow logged in users to perform actions.
public function accessRules()
{
return array(
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions' => array('update', 'view'),
'users' => array('@'),
),
array('deny', // deny all users
'users' => array('*'),
),
);
}
Controller:
// http://locahost/mySite/index.php/user
// Notice that the $id is removed from the method signature.
public function actionView()
{
$model = User::model()->findByPk(Yii::app()->user->id);
$this->render('view', array(
'model' => $this->loadModel($id),
));
}
// http://locahost/mySite/index.php/user/update
// Notice that the $id is removed from the method signature.
public function actionUpdate()
{
$model = User::model()->findByPk(Yii::app()->user->id);
if (isset($_POST['User']))
{
$model->attributes = $_POST['User'];
if ($model->save())
$this->redirect(array('user/admin'));
}
$this->render('update', array(
'model' => $model,
));
}
You can define filter in action in access control and apply the filter to only those action you want to restrict access. like update, delete and admin stuff. If you need it I can post my code on how I did it.