Yii2 Rest checkAccess

Continuing my issue from here

I think we are making an assumption the access to a model would be in the model itself when it may not always be the case.

Also to Query the record without authorization does not only produce bad performance but bad security practice in general.

I think the better solution is to provide the params from the request and let the developer decide what to query before we continue.

While i am also not that happy with the current approach yii has for restful services, i see no reason onto why you couldn’t write your own actions if you don’t like the ones provided by yii, at least this is what i am doing since what yii provides is good only for super simple use cases.

You are not correct here, we need the model to see if the user requesting it is the owner of the record, and if that’s the case, allow further action.

[color="#006400"]/* moved to the REST forum … */[/color]

  1. Again you are assuming permissions are tied to the model, in some cases yes in others no, I don’t think Yii should always assume that it is part of the model. The developer should make that decision, or if it is in the model be able to specify which attribute so you can put the condition(s) in the query.

  2. If you have a query that takes 5 mins, this could be a big problem.

I have written my own Actions, because I basically find them way to simple and lack a ton of options. I just want to bring up issues to make it better and I see this as a big core problem.