General Model Filter/condition

I am writing a company expense app. Any number of users can use it, but only see their own data. (This is my first app with YII so I am still very green!)

Once the user logs in, he/she should only be able to see data that belongs to him/her. Every table has a FK user_id pointing to the owner of that data. I have a number of tables (e.g., transactions, categories, accounts, etc.) No un-logged in user should be able to see any data.

What is the best/most efficient way to set a filter/condition so that this user can only ever see his/her data.

  • somehow place a condition in the model itself so that I don’t have to worry about in many other places? If so how to do so?

  • place a condition in every controller method? I have figured out how to use a cdbcriteria applied to the datasource. However, I haven’t figured out how to filter records for things like the grid view.

Hi Keith Sorbo and welcome!

Not completely understanding your app architecture, you can limit through the controller action by placing


also in views you can place something to the effect of (at the page top):

if ($model->user_id!== Yii::app()->user->id)

	$this->redirect('/somePlaceElse', array(

		'model' => $model,


Personally I would rather have layers of security then rely on a single source, that goes for Yii or anything else.

Thanks for the prompt response! I look forward to learning Yii.

I guess my goal was to be able to set a single condition at the lowest possible level and then not have to worry about setting this condition later / each time.

I modified the model method in the model as follows:

	public static function model($className=__CLASS__)


		$_model =  parent::model($className);

                $criteria = new CDbCriteria();



                return $_model;


This seems to work when the controller method uses this function. However, it appears that methods which use the CActiveDataProvider seem to ignore the criteria I have placed on the model when creating it.

For this you have to be concerned with what search method the data provider is using. It might be a precedence thing here, I am not sure. I too am interested to see how others approach security and hopefully they chime in here.

scopes (default scope) should do the job you are looking for.

Thanks. I just now discovered that.