I am writing a company expense app. Any number of users can use it, but only see their own data. (This is my first app with YII so I am still very green!)
Once the user logs in, he/she should only be able to see data that belongs to him/her. Every table has a FK user_id pointing to the owner of that data. I have a number of tables (e.g., transactions, categories, accounts, etc.) No un-logged in user should be able to see any data.
What is the best/most efficient way to set a filter/condition so that this user can only ever see his/her data.
somehow place a condition in the model itself so that I don’t have to worry about in many other places? If so how to do so?
place a condition in every controller method? I have figured out how to use a cdbcriteria applied to the datasource. However, I haven’t figured out how to filter records for things like the grid view.
Thanks for the prompt response! I look forward to learning Yii.
I guess my goal was to be able to set a single condition at the lowest possible level and then not have to worry about setting this condition later / each time.
I modified the model method in the model as follows:
public static function model($className=__CLASS__)
{
$_model = parent::model($className);
$criteria = new CDbCriteria();
$criteria->compare('user_id',Yii::app()->user->id);
$_model->setDbCriteria($criteria);
return $_model;
}
This seems to work when the controller method uses this function. However, it appears that methods which use the CActiveDataProvider seem to ignore the criteria I have placed on the model when creating it.
For this you have to be concerned with what search method the data provider is using. It might be a precedence thing here, I am not sure. I too am interested to see how others approach security and hopefully they chime in here.
