[Solved] Prevent show data from another user


How to prevent all detailView show data from another user ??

For example, this happens when you type an product ID of another user in the UR. The detailView shows the details of the product normally, however belongs to another User, and may even change it and delete it.

Hi Gustavo,

I have already done that in Yii1 using RBAC. You should read more about this. A good start point is this: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html

Hope this helps you!

Sidney Lins

You can do something like this in the controller if you don’t want to use RBAC :


protected function findModel($id)


    //Check if the author is the current user

    if (($model = Product::findOne($id)) !== null && $model->author_id==Yii::$app->user->id) { 

        return $model;

    } else {

        throw new NotFoundHttpException('The requested page does not exist.');



Like this users which are not the author can’t view, update or delete the product.

Timmy78, this example work fine :)

sidtj, i 'll try this guidetoo