I’m working on a project where records submitted by the user are marked as unverified until an admin does something with them. We don’t want the general public to see unverified records, although we do want the creator of said records to be able to see them. Also, administrators need to be able to see all records, unverified or otherwise.
(A role based access system is in place to differentiate between the kinds of users.)
There is a kind of record (for the sake of this question, I’ll call this a “Post”) with an HAS_MANY active record relationship to another kind of record (which I’ll call “Comment”). At the moment, this relationship simply shows all Comment records, verified and unverified.
What is the right way to implement access to the Comment records associated with a Post record where only verified records, or records created by the user are shown?
On possibility is to create a second AR relationship like this:
'verifiedComments' => array( self::HAS_MANY, 'Comment', 'post_id', 'condition' => '(verified = 1) OR (create_user_id = ' . $userId . ')',),
The problem with this is that it might blow up if used internally, when the user doesn’t exist.