sasori
November 24, 2010, 12:10pm
21
zaccaria:
I don’t know what is filterMemberContext, never used.
I can give you some advices:
never pass the ‘mid’=>Yii::app()->user->id, is meaningless because you can whereever use Yii::app()->user->id for check
check (echo Yii::app()->user->id) that the userId is correct, it should be.
If the user->id is correct, just add to the search() of the model one more check:
$criteria->compare('MemberShipID=', Yii::app()->user->id,true);
That’s all. No changes to default gii generated controllers and views are required, you have to change exatly 1 line in the model.
but if I will not include the ‘mid’ => 'Yii::app()->user->id at the view file , this will happen
zaccaria
November 24, 2010, 12:33pm
22
Pay attention that the action index doesn’t use the function search, you have to change the criteria in the controller like that:
public function actionIndex()
{
$dataProvider=new CActiveDataProvider('CompanyDetails', array('criteria'=>array('condition'=>'MemberShipID='. Yii::app()->user->id)));
$this->render('index',array(
'dataProvider'=>$dataProvider,
));
}
This should filter your list.
The modification in the search function take effect in the action admin.
Anyway to pass the parameter mid is useless, because you can better read it from the application.
If you can successfully filter the list/grid, then you can activate the check in the afterFind I told you at the beginning, all should work fine.
sasori
November 24, 2010, 12:41pm
23
zaccaria:
Pay attention that the action index doesn’t use the function search, you have to change the criteria in the controller like that:
public function actionIndex()
{
$dataProvider=new CActiveDataProvider('CompanyDetails', array('criteria'=>array('condition'=>'MemberShipID='. Yii::app()->user->id)));
$this->render('index',array(
'dataProvider'=>$dataProvider,
));
}
This should filter your list.
The modification in the search function take effect in the action admin.
Anyway to pass the parameter mid is useless, because you can better read it from the application.
If you can successfully filter the list/grid, then you can activate the check in the afterFind I told you at the beginning, all should work fine.
Problem solved. Thank you very much for this
zaccaria
November 24, 2010, 12:58pm
24
Yeah!!
About the main topic, what you did at the beginning in the after save was working properly, in fact it correclty throw an exception.
I advice you to use, and you will see that if the user 2 is typing the address:
?r=membersDetail/view&id=4
Will receive an exception if the company is not his.
The check on the afterFind is 100% secure and cover lot of situation.
sasori
November 24, 2010, 1:02pm
25
zaccaria:
Yeah!!
About the main topic, what you did at the beginning in the after save was working properly, in fact it correclty throw an exception.
I advice you to use, and you will see that if the user 2 is typing the address:
?r=membersDetail/view&id=4
Will receive an exception if the company is not his.
The check on the afterFind is 100% secure and cover lot of situation.
I added this at the model
public function afterFind()
{
if($this->MemberShipID != Yii::app()->user->id)
throw new CHttpException('404','You are not authorized');
}
then I removed the memberContext + create filter thing from the controller,
It doesn’t seem necessary in the code now that it works and that code above is effective for security
zaccaria:
Pay attention that the action index doesn’t use the function search, you have to change the criteria in the controller like that:
public function actionIndex()
{
$dataProvider=new CActiveDataProvider('CompanyDetails', array('criteria'=>array('condition'=>'MemberShipID='. Yii::app()->user->id)));
$this->render('index',array(
'dataProvider'=>$dataProvider,
));
}
This should filter your list.
The modification in the search function take effect in the action admin.
Anyway to pass the parameter mid is useless, because you can better read it from the application.
If you can successfully filter the list/grid, then you can activate the check in the afterFind I told you at the beginning, all should work fine.
your point of view is correct but i have one doubt , if admin want to view all member detail how we could do this?
sasori
November 25, 2010, 5:41am
27
that would be my next problem, I don’t know yet how to do the RBAC thing, am still stuck with that
zaccaria
November 25, 2010, 7:56am
28
I usually create admin and user sections as a module.
In the main application I have a module without rules, so no attributes can be set, and with a throw exception on beforeSave, because this model is not supposed to save anithing.
In userSection I have a model that extends this model, with a check on beforeSave and afterFind for allow to see only his models.
In adminSection I have another model with all permission.
Security is always difficoult, the most we think and the more possibility there are that bug appears. I prefer to use general methods directly in models.
If there are bugs in application, is a lot safer to receive exception and think how to allow admin than expose and think how to forbid this new know vulnerability.
zaccaria:
I usually create admin and user sections as a module.
In the main application I have a module without rules, so no attributes can be set, and with a throw exception on beforeSave, because this model is not supposed to save anithing.
In userSection I have a model that extends this model, with a check on beforeSave and afterFind for allow to see only his models.
In adminSection I have another model with all permission.
Security is always difficoult, the most we think and the more possibility there are that bug appears. I prefer to use general methods directly in models.
If there are bugs in application, is a lot safer to receive exception and think how to allow admin than expose and think how to forbid this new know vulnerability.
why we shouldn’t use like this
For admin login set
Yii::app->setState('type','admin');
And after find
public function afterFind()
{
if($this->MemberShipID != Yii::app()->user->id && Yii::app->user->type!='admin')
throw new CHttpException('404','You are not authorized');
}
Is there any issue to use this code?
jacmoe
December 3, 2010, 11:38am
30
Don’t you think you misunderstood what ‘setState’ does?
It stores something in the user session.
So if you do this:
Yii::app->setState('type','admin');
You get it like this:
$state = Yii::app->getState('type');
And that’s not a good practice: to put that information in the session.
Yii::app->user-> type is pointing to the current users type field.
It’s not in the session.
zaccaria
December 3, 2010, 11:49am
31
why we shouldn’t use like this
For admin login set
Yii::app->setState('type','admin');
And after find
public function afterFind()
{
if($this->MemberShipID != Yii::app()->user->id && Yii::app->user->type!='admin')
throw new CHttpException('404','You are not authorized');
}
Is there any issue to use this code?
this one is cool too, I never thought about it.
If you use RBAC, you can do:
if($this->MemberShipID != Yii::app()->user->id && Yii::app->user->checkAccess('admin'))
without any need of state.
jacmoe:
Don’t you think you misunderstood what ‘setState’ does?
It stores something in the user session.
So if you do this:
Yii::app->setState('type','admin');
You get it like this:
$state = Yii::app->getState('type');
And that’s not a good practice: to put that information in the session.
Yii::app->user-> type is pointing to the current users type field.
It’s not in the session.
Yii::app()->user->title (This has been available since version 1.0.3. In prior versions, one must instead use Yii::app()->user->getState('title').)
i have seen this in Yii tutorial so that i used … Please tell me am i misunderstood
jacmoe
December 3, 2010, 1:11pm
33
Yii::app()->user->title (This has been available since version 1.0.3. In prior versions, one must instead use Yii::app()->user->getState('title').)
i have seen this in Yii tutorial so that i used … Please tell me am i misunderstood
D’oh - thanks. That’s very sneaky.
jacmoe:
Don’t you think you misunderstood what ‘setState’ does?
It stores something in the user session.
So if you do this:
Yii::app->setState('type','admin');
You get it like this:
$state = Yii::app->getState('type');
And that’s not a good practice: to put that information in the session.
Yii::app->user-> type is pointing to the current users type field.
It’s not in the session.
According to my learning, user information should be stored in session, Please tell me if it not a good practice to put that information in session where and how we should do this
jacmoe
December 6, 2010, 10:04am
35
IMO, you should only store the absolute minimum amount of information in the session.
Username and id, maybe a status id too. But not much more than that.
Both for security, but also for performance.
I’ve actually stored the user model in the session in one of my old (Cake) projects…
First version had the user, and all related models in the session.
As you can imagine, memory was totally exhausted: users pulled in project which pulled in all issues in the database…
Just be careful.
jacmoe:
IMO, you should only store the absolute minimum amount of information in the session.
Username and id, maybe a status id too. But not much more than that.
Both for security, but also for performance.
I’ve actually stored the user model in the session in one of my old (Cake) projects…
First version had the user, and all related models in the session.
As you can imagine, memory was totally exhausted: users pulled in project which pulled in all issues in the database…
Just be careful.
[b]Yes I accepted your answer, Is there any issue to store it in global variable(if any other good method please share your answer with code)
[/b]
shall i Define it as an array in the protected/config/main.php with ‘params’ index.
And can i access its element as Yii::app()->params[‘paramName’].
