Model Rules By Permissions


I have a model that permit the users with credential permissions to change fields of this model.

I want those users to have only permission only to specific fields.

On the other hand I want the admin (full permission on the system) able to change all the fields.

The easy way is to hide the fields on the user form, but this is not a secure way (for example a hacker could post a form with all data)

The other way is creating another model with same fields (and table) but without all fields. The first one can be use for the admin and the second one for users, but his way is not very reusable and robust.

So, does anyone has any suggestion?


Don’t create a new model, just use different scenarios.

I tend to have the default scenario be the most restrictive, so you don’t accidentally give a user too many privileges by forgetting to specify the scenario. Then create a separate scenario called, say, ‘admin’, and include the rules for the fields that only they can edit.

Here’s an example from one of my own projects:

return array(

	array('Name, Description, Value', 'filter', 'filter'=>'trim'),

	array('Name, Description, Value, Status', 'required'),

	array('SiteId', 'required', 'except'=>'admin'),

	array('Value', 'length', 'max'=>9),

	array('ItemGroupId, SiteId, Value', 'numerical', 'integerOnly'=>true),

	array('Name', 'length', 'max'=>100),

	array('Status', 'in', 'range'=>array_keys(self::$safeStatuses), 'except'=>'admin'),

	array('Status', 'in', 'range'=>array_keys(self::$validStatuses), 'on'=>'admin'),

	// The following rule is used by search().

	// Please remove those attributes that should not be searched.

	array('Id, ItemGroupId, SiteId, Name, Description, Value, Created, CreatedBy, Status, searchNameDescription, searchTags, searchItemGroupTags, searchTerm', 'safe', 'on'=>'search'),

You’ll probably want to create a different view for each scenario.

If you define a rule as ‘on’=>‘admin’, the standard user will be unable to bulk assign to those fields.

Hi Keith, thank you for your response!

Very good approach!

But how can I set a field as required (for admin) and the same field unreachable for users ?

If any field set in rules then can be pass in model!

maybe ‘safe’ or ‘unsafe’ rule and scenarios? but how?

You can do so like this:

array('Field', 'required', 'on'=>'admin'),

This field will only be bulk assigned in the admin scenario. In any other scenario it is effectively unsafe unless you specify a rule that applies to the scenario.

The user can only assign to fields that have a rule in the current scenario.

I already tested!

I had to specify scenarios for all rules that mentioned to those fields

Also if any field has no rule then can be used

array('fieldA', 'safe' ,'on'=>'admin')

Thanks a lot Keith with a vote :)

It’s very good topic, is that possible to create a wiki page to summarize what you got, so it can share with other people.

Thanks in advance.

Ok Johnny. I just wrote a wiki :)

Oh, nice, Thanks.