Dear experts,
I’m looking to build out a Yii website, where people can signup and create their own blog. I’m wondering what the best approach is to restrict controller actions to only the current blog. For example if I’m logged into www.mydomain.com/stevesblog how do I ensure that I can only perform all actions to stevesblog and not to johnsblog. Would a module be the solution here with checks in the beforeControllerAction ?
thanks in advance!
What I do, to simplify things, is to have a database for each user and 1 database to manage the CMS’s, in your case, blogs
If you really need to use 1 database, you apply filters to your controllers, and check the roles that you create using rbac
there are a lot of extensions to simplify rbac management
the multi-database one will simplify things a lot, trust me
the only downside for my application is to have a more complex approach when dealing with database migrations
if you go for the 1st option, use this extension I made to handle multiple databases
Gustavo
<not an expert>
Is it only a blog or is there other ‘stuff’?
I like to make modules out of things that require broad rules (in every controller or model) and this seems to fit. In this case you have a very simple rule - only owners of content can add/delete/update it.
What I would do is define a ‘isOwner’ beforeControllerAction function in the module config itself. That way it is active on ALL module controllers and requires the person to be the owner of that content before they can mess with it.
Of course in order to write such a function you will need a way of determining blog author in your DB design.
</not an expert>
Hmm… Multi-database is an interesting option though I would be afraid of the refactoring required to add new features/options. It would also mean that the application would have to create a new database on the fly during signup. But I will check it out see if its feasible because it would simplify things…
Yes there will be other stuff for sure, admin stuff more users, approvals etc, profile pages etc. So its not just a post-a-blog type of thing, which means everything that happens with the database/logins has to be filtered by blogId which I will grab onBeginRequest.
there is also another extension I’ve made, if you use cpanel, that you can use to create/delete the databases and accounts also, in my case
and you can share the same codebase by pointing the index’es files to the same application (what I use is a symbolic link as the index and .htaccess file, so you only need to change once)
Dang, I’ve got plesk