Yii Framework Forum: Don't want user ID on URL on update - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Don't want user ID on URL on update Rate Topic: -----

#1 User is offline   rbn::dev 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 25-April 11

Posted 08 May 2011 - 10:12 PM

Hi u all :)

Still learning here about Yii, I have some questions.

I'm trying to make an User's profile edit in my Yii app, and I'm planning to make use of the CRUD op's generated by Gii code generator.
My questions are, basically:

1) I've seen that an URL like http://mysite/index.php/user/update/3 would render a view of the user with id=3, ok. (obvious). What Im trying to do is to just use an URL like mysite/index.php/user/update. An URL like mysite/index.php/user/update/{username} (where {username} is the actual name of the User) would be ok to me as well. How could I do this?

2) What I do not want is an authenticated user (and obviously a non authenticated one neither) to be able to see other's profiles or update them. Now, if I enter http://mysite/index.php/user/update/3, as I mentioned, I see user# 3 profile, but if I enter http://mysite/index.php/user/update/4 i see that user's profile and I can edit/update. How could I restraint the access to others information? I do not want an user to be able to view the list of all the users, etc...

In short:
I dont want the current user to be able to render http://mysite/index.php/user (this would cause the rendering of the list of all users)
I want the current user (id 3) to be able to render mysite/index.php/user/update/3 but not mysite/index.php/user/update/4 (other user id)

What is the easiest way and simplest way to do it? I don't mind "unelegant" solutions as I'm in a hurry with this.

Thank you very much in advance, I'm into some kinda love/hate relationship with Yii. Hope the love may triumph though. ;)
0

#2 User is offline   waterloomatt 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 545
  • Joined: 09-April 10

Posted 08 May 2011 - 11:39 PM

You should restrict access to all actions except for the ones that allow logged in users to perform actions.

    public function accessRules()
    {
        return array(
            array('allow', // allow admin user to perform 'admin' and 'delete' actions
                'actions' => array('update', 'view'),
                'users' => array('@'),
            ),
            array('deny', // deny all users
                'users' => array('*'),
            ),
        );
    }


Controller:
    // http://locahost/mySite/index.php/user
    // Notice that the $id is removed from the method signature.
    public function actionView()
    {
        $model = User::model()->findByPk(Yii::app()->user->id);

        $this->render('view', array(
            'model' => $this->loadModel($id),
        ));
    }

    // http://locahost/mySite/index.php/user/update
    // Notice that the $id is removed from the method signature.
    public function actionUpdate()
    {
        $model = User::model()->findByPk(Yii::app()->user->id);

        if (isset($_POST['User']))
        {
            $model->attributes = $_POST['User'];

            if ($model->save())
                $this->redirect(array('user/admin'));
        }

        $this->render('update', array(
            'model' => $model,
        ));
    }


Cheers,

Matt
0

#3 User is offline   bonnie 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 62
  • Joined: 08-February 11

Posted 13 September 2011 - 10:18 PM

View Postrbn::dev, on 08 May 2011 - 10:12 PM, said:

Hi u all :)

Still learning here about Yii, I have some questions.

I'm trying to make an User's profile edit in my Yii app, and I'm planning to make use of the CRUD op's generated by Gii code generator.
My questions are, basically:

1) I've seen that an URL like http://mysite/index.php/user/update/3 would render a view of the user with id=3, ok. (obvious). What Im trying to do is to just use an URL like mysite/index.php/user/update. An URL like mysite/index.php/user/update/{username} (where {username} is the actual name of the User) would be ok to me as well. How could I do this?

2) What I do not want is an authenticated user (and obviously a non authenticated one neither) to be able to see other's profiles or update them. Now, if I enter http://mysite/index.php/user/update/3, as I mentioned, I see user# 3 profile, but if I enter http://mysite/index.php/user/update/4 i see that user's profile and I can edit/update. How could I restraint the access to others information? I do not want an user to be able to view the list of all the users, etc...

In short:
I dont want the current user to be able to render http://mysite/index.php/user (this would cause the rendering of the list of all users)
I want the current user (id 3) to be able to render mysite/index.php/user/update/3 but not mysite/index.php/user/update/4 (other user id)

What is the easiest way and simplest way to do it? I don't mind "unelegant" solutions as I'm in a hurry with this.

Thank you very much in advance, I'm into some kinda love/hate relationship with Yii. Hope the love may triumph though. ;)


You can define filter in action in access control and apply the filter to only those action you want to restrict access. like update, delete and admin stuff. If you need it I can post my code on how I did it.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users