Thanx, ORey,
I just know rules ans scenarios - but maybe there is a trick I don’t see.
#model Company
class Company extends CActiveRecord{
public function rules() {
return array(
array('company_name', 'required'),
array('user_name', 'required'),
);
#CompanyController
public function actionUpdate_1($id) {
$model = $this->loadModel($id);
if (isset( $_POST['Company'])) {
$model->save();
$this->redirect(array('view', 'id' => $model->id));
}
$this->render('update_1', array('model') => $model);
public function actionUpdate_2($id) {
$model = $this->loadModel($id);
if (isset( $_POST['Company'])) {
$model->save();
$this->redirect(array('view', 'id' => $model->id));
}
$this->render('update_2', array('model') => $model); // <- only different line
#view: update_1.php <- the user is only allowed to change the company_name
<?php echo $form->textField($model, ‘company_name’); ?>
#view: update_2.php <- the Webadmin is also allowed to change the user_name
<?php echo $form->textField($model, ‘company_name’); ?>
<?php echo $form->textField($model, ‘user_name’); ?>
If the user calls http://…r=company/update_1 and posts also the user_name … it will be updated in the database.
Also if he cals company/update_2
I don’t see, how rules with scenarios can stop this. But I think I don’t understand enough.
Hope of a littlebit more light in the night 
Jannis