Converting an existing project to Yii

Yii 1.1 General Discussion
1

Hey there,

I’ve taken on the task of converting an existing project to the Yii framework. Although I’ve been only using it for a week, I like Yii a lot. Symfony is the other framework I’ve tried, and it seemed too complicated for what I needed to do (also: YAML is annoying.) The Gii tool and Yii’s integration with jQuery finally sold me on the idea of converting this existing (though unpolished) project from pure php/jQuery over to Yii.

With that said, I wanted to throw out a few questions. Please forgive me if they have very obvious answers.

(1) The existing project (EP for short) defined two kinds of authenticated users – limited and unlimited. Along with user names and passwords, the user table in the database contains a boolean flag for whether a user is limited or not.

To implement this in Yii, I constructed a static function in my user model which returns all the unlimited users in the database in an array. Then, in my controller rules, for actions that only unlimited users can perform, I specify: ‘users’ => tblUser::getUnlimitedUsers.

For actions that both limited and unlimited users can perform, I simply specify ‘users’ => array(’@’), because both limited and unlimited users will be authenticated against the database (that code is already written and works wonderfully, but I need to have different user levels.)

My question is: is this a safe, effective way of distinguishing between my two classes of authenticated users? Or should I turn to a more Yii-centric approach, whatever that means?

(2) In the EP, I use the database for session management. All session vars for users are stored in the database, rather than in an unprotected space on the server (the EP is on a shared host.) Thus, when a user is authenticated, a record is made in the database itself, and when a session var is fetched, it is fetched from the database. To do this, I override the default php session methods.

My reason for doing this was a worry that other people sharing host space on the same machine would be able to look at the session variables and that this was unacceptable from a security perspective.

My question is: (a) am I just paranoid?, and ( b ) is there a way to make Yii store session information in the database?

Those are two issues I’ve encountered in adapting the EP to Yii. Any feedback would be greatly welcomed, especially from someone who has taken on a similar challenge.

UPDATE:

Okay, I found CDbHttpSession. So that takes care of part b of the second question. Still, am I just being paranoid?

2
  1. You can use roles and add the rule on the roles, or you can build a function in the class Webuser and add the rule like that:



			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update', 'index','view', 'delete'),

				'expression'=>'Yii::app()->user->isUnlimited',

			),

There is no logical reason to read the whole database for know if the actual user is allowed or not to perform an action, we can just check the actual user.

3

Excellent. I wasn’t aware you could use an expression in the rules array like that! Thank you!

4

And there is much more, take a look here!

5

Verrrry nice. I did notice one thing: when checking the user variable, I had to use Yii::app()->user->getState(unlimited), rather than just checking Yii::app()->user->unlimited. The latter would return errors in cases where a user was not signed in and the variable was not set at all.

This was also an issue because I use the “visibility” property in CMenu to render certain menus depending on whether a user is logged in (and whether he is limited or not.) getState seems to return false when the value isn’t defined.

Weird. I tried messing around with combinations of isset(Yii:app()->user->unlimited) in my visibility specifications… that probably would have worked, but I didn’t press. Thanks for the assistance!