How to set proper view permissions?

Currently the situation in my application is

User 1 has his own products as product A, product B and Product C

User 2 has his own products as Product X, product Y and Product Z

Both Users can VIEW all the products

User 1 should be able to edit or update his products only…(A,B,C)

User 2 should be able to edit or update his products only (X, Y,Z)

The problem in my application… User 1 and User 2 can edit all the products if he supplies the id in the URL :mellow:

How can I set appropriate permission and what is the best way to do it? is YII got any more permission levels apart from admin, authenticated user etc.,

I guess you could create a 3rd db table that would hold 2 columns as keys referencing your user and product tables. This would hold rows telling you which products are associated with which user. Yii should also automatically create a many-many relation I believe in this scenario when using gii.

From there, you should be able to tell if a product being updated belongs to the logged user or not at the start your update action method.

Yep Thanks!! I found that the answer lies in modifying the accessRules()