I’m building a system in which a logged-in user can select a shop for editing from a list of items to which He has access, for example:
Shop1 // with id=1
Shop2 // with id=2
When the user selects one of them, the next page will contain the selected shop ID either in the url or in a post variable.
How could I prevent this user from accessing Shop3 or any other shop IDs He has no permission to access?
Some people has suggested checking Yii::app()->user->isGuest, but that is not a solution as the user was logged-in before selecting the shops. That means that at this point any user could change the shop ID to try to access any shop. Is there a Yii way to do it? I don’t want to be checking if the user has access to the shopID in every controller of my application.
IMO, the simpliest way is to use Access control filter, setting your check in “expression” parameter. You may move rules and filter declaration to a parent class (compoments/Controller.php, for example), if its suitable and you don’t want to write the same rules in your controllers.
but for some application types it s still not enough . lets’ say sns : every user has his/her space( compose of different resource collection : blog , album , audio , video ,friend group ,etc… ) , then even if you give some member a “EDITOR” role they can do some things out of control .
every member can only operate his/her owner resource but others . for example : myProj/blog/edit/id/3 this mean the current user want to edit the blog which id is equal to 3.
just consider the front end , the blog is belong to the specific user so just the owner of the resource can access it . some user may type this in browser manually so how prevent to access (this user still a logined user but not the resource owner ) if in backend it 's true that the user has specify role can access it(admin , editor , manager …) .
it seems true , the second scenario is my depiction environments . if people don’t use the rbac mechanism , we have to do it manually like your doing (but the Yii::app()->user->checkAccess(‘PostOwner’, $params) ). i think the role check is only useful for backend , for front end it 's more complex .
some thing can be consider is : url convention (the resource access url always come with the owner id =>myProj/blog/edit/id/3/uid/1 ; myProj/album/view/id/2/uid/1 ) and always use same layout or extend same baseController (say : ResourceController ) , then we can simple check if the current user is the resource owner : Yii::app()->user->id == $_GET[‘uid’] ;
every access is want to enter some member 's space , so the url will contain that member 's id . if you access his/her resource the url more like a tree path:
It’s quite right, unless we’re passing biz-rule parameter with the request, as yiqing95 described, or overwrite accessControlFilter to get this parameter first (the same as you’d get it in your controller) and to perform the actual check then - these are two approaches that came to my mind at the moment and which I used in my applications.
Hi everyone. I personally rely exclusively on accessFilters especially when I have to deal with workflows. I find roles not very interesting in that case (or I don’t know how they could be used), since the access control depends on: 1. the user, 2. the accessed model static attributes (fk…), and 3. the accessed model’s status. But I’m sure there are lots of things I haven’t discovered yet
the fact is I end up with huge expressions, and it has often been error prone since my IDE doesn’t check string contents for PHP syntax
Thank you all for your responses, this has been a very constructive discussion.
As some of you have said, the solution to the problem I’m facing is not as simple as checking user role. In other words, my database contains a table called ‘Shop’ and I want some users to access some IDs and other users to access some other IDs of the same table. But I do not want everyone to be able to edit all data in the table. That said, what I need to implement is a function that compares the place where the ID from the url belongs with the place where the authenticated user belongs. If they match, the user should be allowed to edit that particular ID.
I’ll have a look to all you proposals and will see which one to implement.
Reading blog of Dana Luther I found an article + comment to this article, which give on more idea for the discussed topic. Quite simple and useful for some cases. Don’t know why I didn’t think about it before .
Reading one more yii-blog I came accross this article, where described access control extension based on yii access control filter. Link to the extension is in article and you may find it in extensions also.
I think it may be quite useful for above discussed situations. Haven’t tried it, but maybe will give it a chance in future.