I just started to make my first project in Yii, and there is a question about security and forms. Please let me describe my problem:
There is a Model/Table “Users” with Username, Password and so on, and also a ‘role’-field which defines if a user is an admin, mod or just a normal user.
I want admins to be able to update everybody, mods able to update themselves and users, and users able to update only themselves.
That’s implemented now with some easy RBAC and works as expected.
Now for my problem: Of course, I only want that admins can modifiy roles - avoiding that normal users update themselves to admins 
To do this, I simply put this inside the _form.php:
<?php if (Yii::app()->user->getRole() == 'admin'): ?>
<div class="row">
<?php echo $form->labelEx($model,'role'); ?>
<?php echo $form->dropDownList($model,'role',$model->getRoles()); ?>
<?php echo $form->error($model,'role'); ?>
</div>
<?php endif; ?>
This does what it needs - Users other than Admins cannot ‘see’ the Role-Dropdown when updating their record, and therefore not change it - at least not legally.
Here comes my insecury: What happens if somebody just fakes the $_POST and adds the data related to role himself?
Does Yii handle this correctly by only allowing fields beeing updated which are actually added in the _form.php? If not, what would be the best practise to filter these kind of issues?
Any clarification is greatly appreciated!