So I have the following code in Users Controller:
public function accessRules()
{
array('allow',
'actions'=>array('update', 'delete', 'view', 'statusChange'),
'users'=>array('@'),
'expression'=>'Users::model()->userManagementPermissions($_GET["id"])',
),
);
}
And here is the function in the Users model as used in the above expression:
public function userManagementPermissions($id)
{
if(Yii::app()->user->user_permissions == 3){
return true;
}
else if (Yii::app()->user->user_permissions == 2){
//gettin the user_client_id value from the logged CompanyAdmin
$cAdminClient = $this->getClientId(Yii::app()->user->id);
//getting the user_client_id from the user being modified. Super Admins excluded.
$userClient = Yii::app()->db->createCommand()
->select('user_client_id')
->from('users')
->where('user_id=:id', array(':id'=>$id))
->andWhere('user_permisions<>3')
->queryRow();
if($userClient['user_client_id'] == $cAdminClient)
return true; //users belong to the same group, permissions granted
else
return false;
} else { //user permission level is 1
return false;
}
}
Now this code works perfectly. However, there is a security issue.
For example, if the URL is like this: /index.php?r=users/update&id=55 , this would work.
However, if the logged user cuts the URL and does something like this: /index.php?r=users/update , then I get the following error:
[b]PHP notice
Undefined index: id [/b]
This is because $_GET[‘id’] is not defined in the URL and cannot be used in the expression:
'expression'=>'Users::model()->userManagementPermissions($_GET["id"])'
How can I solve this?
Thank you in advance!