Login status

I am still beginner in all these and trying to understand this framework before start building my site.

In the testdrive tutorial, once log in I would have assume user login status is set to session cookie(or no?), so if I try to create tbl_user (created using gii) without login, it detects and bring me to login page.

How exactly it check for user login? which code that does that behind the scene because I will use this again. Or just putt the function filters() accessControl and defining the accessRules() method does the wonder already?

Thanks in advance for any reply.


Is use to check that a User is logged in or not. You can use it every where in the framework Like in views,model,controller e.t.c

Access control and filters are used to check user privileges for the action.Above given code is your required answer. Use it and share your feedback.

And if I want to know who is the user (like an username or id). How do I to put custom data to it?

I also am planning to use encryption for the user password and email in database (so it wont be in plain text). Where can I setup config for encryption key etc?

Please read This link for more information carefully.you get the complete information here…

Based on the link u gave, I saw my testdrive tutorial of TblUserController has access control like this:

return array(

			array('allow',  // allow all users to perform 'index' and 'view' actions




			array('allow', // allow authenticated user to perform 'create' and 'update' actions




			array('allow', // allow admin user to perform 'admin' and 'delete' actions




			array('deny',  // deny all users




Although the comments are pretty much self explanatory, but for the last array, what does it mean deny all users? because first rule already said all user are allowed to do some actions.

Suppose you have added an action that should be accessible to only certain users or roles because it does something that required certain privileges. If you were to forget to add the new action to the accessRules() method everybody (including not logged in users) would be able to run that action.

The ‘deny all users’ bit is used as a security measure. Rules are checked from top to bottom, and checking it stops whenever a rule is matched by the current needs. By adding the ‘deny all users’ rule you are basically saying: “hey, you managed to get through all the checks, but this is where I draw the line”. Users that should have access are also denied access in this case, but often that is a better way to be wrong that to have everybody access an action.

It is not required to have that particular access rule though. Just be well aware of the consequences.