[Solved] Prevent show data from another user

gugoan · February 18, 2015, 9:36pm

Hi,

How to prevent all detailView show data from another user ??

For example, this happens when you type an product ID of another user in the UR. The detailView shows the details of the product normally, however belongs to another User, and may even change it and delete it.

sidtj · February 19, 2015, 12:30am

Hi Gustavo,

I have already done that in Yii1 using RBAC. You should read more about this. A good start point is this: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html

Hope this helps you!

Sidney Lins

timmy78 · February 19, 2015, 8:42am

You can do something like this in the controller if you don’t want to use RBAC :


    

protected function findModel($id)

{

    //Check if the author is the current user

    if (($model = Product::findOne($id)) !== null && $model->author_id==Yii::$app->user->id) { 

        return $model;

    } else {

        throw new NotFoundHttpException('The requested page does not exist.');

    }

}

Like this users which are not the author can’t view, update or delete the product.

gugoan · February 24, 2015, 12:27am

Timmy78:

You can do something like this in the controller if you don’t want to use RBAC :
    

protected function findModel($id)

{

    //Check if the author is the current user

    if (($model = Product::findOne($id)) !== null && $model->author_id==Yii::$app->user->id) { 

        return $model;

    } else {

        throw new NotFoundHttpException('The requested page does not exist.');

    }

}
Like this users which are not the author can’t view, update or delete the product.

Timmy78, this example work fine

sidtj, i 'll try this guidetoo