[SOLVED]list own stuff

but if I will not include the ‘mid’ => 'Yii::app()->user->id at the view file , this will happen

Pay attention that the action index doesn’t use the function search, you have to change the criteria in the controller like that:

    public function actionIndex()


        $dataProvider=new CActiveDataProvider('CompanyDetails', array('criteria'=>array('condition'=>'MemberShipID='. Yii::app()->user->id)));





This should filter your list.

The modification in the search function take effect in the action admin.

Anyway to pass the parameter mid is useless, because you can better read it from the application.

If you can successfully filter the list/grid, then you can activate the check in the afterFind I told you at the beginning, all should work fine.

Problem solved. Thank you very much for this


About the main topic, what you did at the beginning in the after save was working properly, in fact it correclty throw an exception.

I advice you to use, and you will see that if the user 2 is typing the address:


Will receive an exception if the company is not his.

The check on the afterFind is 100% secure and cover lot of situation.

I added this at the model

	public function afterFind()


		if($this->MemberShipID != Yii::app()->user->id)

			throw new CHttpException('404','You are not authorized');



then I removed the memberContext + create filter thing from the controller,

It doesn’t seem necessary in the code now that it works and that code above is effective for security :D

your point of view is correct but i have one doubt , if admin want to view all member detail how we could do this?

that would be my next problem, I don’t know yet how to do the RBAC thing, am still stuck with that

I usually create admin and user sections as a module.

In the main application I have a module without rules, so no attributes can be set, and with a throw exception on beforeSave, because this model is not supposed to save anithing.

In userSection I have a model that extends this model, with a check on beforeSave and afterFind for allow to see only his models.

In adminSection I have another model with all permission.

Security is always difficoult, the most we think and the more possibility there are that bug appears. I prefer to use general methods directly in models.

If there are bugs in application, is a lot safer to receive exception and think how to allow admin than expose and think how to forbid this new know vulnerability.

why we shouldn’t use like this

For admin login set


And after find

public function afterFind()


                if($this->MemberShipID != Yii::app()->user->id && Yii::app->user->type!='admin')

                        throw new CHttpException('404','You are not authorized');


Is there any issue to use this code?

Don’t you think you misunderstood what ‘setState’ does?

It stores something in the user session.

So if you do this:


You get it like this:

$state = Yii::app->getState('type');

And that’s not a good practice: to put that information in the session.

Yii::app->user->type is pointing to the current users type field.

It’s not in the session.

this one is cool too, I never thought about it.

If you use RBAC, you can do:

if($this->MemberShipID != Yii::app()->user->id && Yii::app->user->checkAccess('admin'))

without any need of state.

Yii::app()->user->title (This has been available since version 1.0.3. In prior versions, one must instead use Yii::app()->user->getState('title').) 

i have seen this in Yii tutorial so that i used … Please tell me am i misunderstood

D’oh - thanks. That’s very sneaky. :)

According to my learning, user information should be stored in session, Please tell me if it not a good practice to put that information in session where and how we should do this

IMO, you should only store the absolute minimum amount of information in the session.

Username and id, maybe a status id too. But not much more than that.

Both for security, but also for performance.

I’ve actually stored the user model in the session in one of my old (Cake) projects…

First version had the user, and all related models in the session.

As you can imagine, memory was totally exhausted: users pulled in project which pulled in all issues in the database… :lol:

Just be careful.

[b]Yes I accepted your answer, Is there any issue to store it in global variable(if any other good method please share your answer with code)


shall i Define it as an array in the protected/config/main.php with ‘params’ index.

And can i access its element as Yii::app()->params[‘paramName’].