I read about Security in YII -> http://www.yiiframework.com/doc/guide/1.1/en/topics.security but I still have an important Question.
Example: If I were a User and I’m logged in, I have a Page and can manage for example my Employees. I can create, delete, update and read them. So if I would delete an Employee from me, the link would be something like "http://www.domain.com/employee/delete/[color="#2E8B57"]23[/color].
In this Case the Request would pass my Controller an the “actionDelete()”-Method, then $model->delete(); and it’s done, the employee with ID 23 is deleted and removed from the database.
So, but now comes my important Question. If I would prepare myself a form in a local html-page, with action=“http://www.domain.com/employee/delete/[color="#FF0000"]35[/color]” and now (in case i’m already logged in to the page) I would submit my local form to this URL, it’s possible to delete the Employee with ID 35. In this case the Employee with ID 35 doesn’t belong to me and my dataset.
That’s a kind of security issue. My Question is now, do I have to check on every update/create/read/delete action in the Controller FIRST via DB-Selection (findBy…) if the current user is allowed to watch/delete/update/create with the parameter-ID?
Or does Yii take care of this with any rules, which I don’t know.
I need help. Thank you very much!