User 1 has his own products as product A, product B and Product C
User 2 has his own products as Product X, product Y and Product Z
Both Users can VIEW all the products
User 1 should be able to edit or update his products only…(A,B,C)
User 2 should be able to edit or update his products only (X, Y,Z)
The problem in my application… User 1 and User 2 can edit all the products if he supplies the id in the URL
How can I set appropriate permission and what is the best way to do it? is YII got any more permission levels apart from admin, authenticated user etc.,
I guess you could create a 3rd db table that would hold 2 columns as keys referencing your user and product tables. This would hold rows telling you which products are associated with which user. Yii should also automatically create a many-many relation I believe in this scenario when using gii.
From there, you should be able to tell if a product being updated belongs to the logged user or not at the start your update action method.