Locking Textfield For Certain Class Of Users

I have 3 class of users superadmin, admin, Authenticated. How can I lock some textfield in a form from Authenticated class? Currently I am using following code but it locks textfield for all classes.


echo $form->textField($user,'accountID',array('size'=>32,'maxlength'=>32, 'disabled'=>Yii::app()->user->checkAccess('Authenticated')))

I want to lock textfield for Authenticated only and not superadmin, admin.

Also Authenticated includes all valid users logged in so it will also include superadmin and admin. So is their any option like ‘enabled’?

After thinking little bit I found the solution. Now I am doing it in following way which has solved my problem


<?php

		if(Yii::app()->user->checkAccess('superadmin')||Yii::app()->user->checkAccess('admin'))

			echo $form->textField($user,'accountID',array('size'=>32,'maxlength'=>32)); 

		else

			echo $form->textField($user,'accountID',array('size'=>32,'maxlength'=>32, 'disabled'=>'true'));?>

If anyone knows a better solution then please update me.

TBH, putting things like this clientside is not a good method to enforce access control. At least have a check in your model if the current user should be able to alter the accountID field by setting a custom validator in place. An even better solution were to facilitate scenarios to protect certain fields.

Also, I’m a bit puzzled by this line:


if(Yii::app()->user->checkAccess('superadmin')||Yii::app()->user->checkAccess('admin'))

Is your RBAC setup not hierarchical by any chance?

Thanks for you suggestion. I am new to yii so can you give example of using scenarios. Also why the above method is not good?

See the linked wiki page.

Because it can be bypassed by anyone smart enough to work with Firebug.