I have an isOwner function in my WebUser.php file, which works great everywhere except in the ‘expression’ for the access rules array. You can see where I commented the isOwner function, the first one works (just a test call to isOwner), but the second one in the expression doesn’t…I guess it’s returning false…why would that be???
Nah that’s not it, because my $user->isAdmin() function is working. I think it might have to do something with passing a parameter in to the isOwner function in the expression but I don’t see how else I could do it. Here’s that function just for reference:
function isOwner($story_by){
$user_id = Yii::app()->user->id;
return $user_id == $story_by;
}
Hm… I’m just curious if this is best approach - i.e. if using ActiveRecord as expression in accessRules will not degrade application performance significantly?
Wouldn’t be easier (faster) to let in (allow to pass accessRules) all authenticated user (’@’) and then check, if a particular user is story owner inside proper action. What do you think?
I think the "cleanest" approach would be to create a new separate filter for checking if the user is the story owner. That way you could avoid doing complicated access control checks and you could reuse the code wherever necessary.
Okay I added the afterFind function and changed it to fit my model attributes, but this method is invoked on every page, even the index page, which I want any logged in user to be able to access. How would I go about performing the check only on the delete and edit views? Thanks
public function accessRules()
{
return array(
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view'),
'users'=>array('*'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create'),
'users'=>array('@'),
),
array('allow',// allow user to update their own content
'actions'=>array('update', 'delete'),
'expression'=>'PostController::checkIfRecordAuthor( (int)$_GET["id"], Yii::app()->user->id);',
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete', 'update'),
'users'=>array('admin', 'theAdmin', 'the Boss'),
'expression' => '($user->isAdmin) )', // this is a custom method mapped to a bool field in db
),
array('deny', // deny all users
'users'=>array('*'),
),
);
}
// this is in PostController
public static function checkIfRecordAuthor($id, $user_id)
{
$model=Post::model()->findByPk($id);
if($user_id == $model->author_id) { return true; }
else { return false;}
}