Halo everyone!,
I have one question, how to avoid GET parameters to be manipulated by end users. I have situation similar like in Agile book with trackster application, with issues and projects. But in my situation I have Pets model and Petsorganisation model. I’d like to add some organisation information under Pets. I have made context filter, all those are working correctly. I can create petsorganisation only if i have ‘pid’ prameters as GET parameter for example:
echo CHtml::link('Dodaj wizytę', array('petsorganisation/create', 'pid'=>$model->id));
http://localhost/milosnicyzwierzat/petsorganisation/create?pid=1
Problem is that now everyone can change this pid and add some petsorganisation to another pet, even if he/she is not an owner. How to avoid this situation. I think i should pass this ‘pid’ parameter as POST, but i don’t know how.
I tried this:
echo CHtml::link('Dodaj wizytę', '',array('submit'=> array('petsorganisation/create'), 'params'=>array('pid'=>$model->id)));
and I get to create form but after submitting I got my context filter message that there is no ‘pid’ parameter. Please let me know if you have any ideas
regards
lukBB
my petsOrganisation (lets say Issue) controller:
<?php
class PetsorganisationController extends Controller
{
private $_pet = null;
/**
* @var string the default layout for the views. Defaults to '//layouts/column2', meaning
* using two-column layout. See 'protected/views/layouts/column2.php'.
*/
public $layout='//layouts/pets';
/**
* @return array action filters
*/
public function filters()
{
return array(
'accessControl', // perform access control for CRUD operations
'petContext + create index update admin',
);
}
/**
* Specifies the access control rules.
* This method is used by the 'accessControl' filter.
* @return array access control rules
*/
public function accessRules()
{
return array(
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view'),
'users'=>array('*'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create','update'),
'users'=>array('@'),
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete'),
'users'=>array('admin'),
),
array('deny', // deny all users
'users'=>array('*'),
),
);
}
/**
* Displays a particular model.
* @param integer $id the ID of the model to be displayed
*/
public function actionView($id)
{
$this->render('view',array(
'model'=>$this->loadModel($id),
));
}
/**
* Creates a new model.
* If creation is successful, the browser will be redirected to the 'view' page.
*/
public function actionCreate()
{
$model=new Petsorganisation;
$model->petid = $this->_pet->id;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['Petsorganisation']))
{
$model->attributes=$_POST['Petsorganisation'];
if($model->save())
$this->redirect(array('//pets/view','id'=>$model->petid));
}
$this->render('create',array(
'model'=>$model,
));
}
/**
* Updates a particular model.
* If update is successful, the browser will be redirected to the 'view' page.
* @param integer $id the ID of the model to be updated
*/
public function actionUpdate($id)
{
$model=$this->loadModel($id);
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['Petsorganisation']))
{
$model->attributes=$_POST['Petsorganisation'];
if($model->save())
$this->redirect(array('view','id'=>$model->id));
}
$this->render('update',array(
'model'=>$model,
));
}
/**
* Deletes a particular model.
* If deletion is successful, the browser will be redirected to the 'admin' page.
* @param integer $id the ID of the model to be deleted
*/
public function actionDelete($id)
{
if(Yii::app()->request->isPostRequest)
{
// we only allow deletion via POST request
$this->loadModel($id)->delete();
// if AJAX request (triggered by deletion via admin grid view), we should not redirect the browser
if(!isset($_GET['ajax']))
$this->redirect(isset($_POST['returnUrl']) ? $_POST['returnUrl'] : array('admin'));
}
else
throw new CHttpException(400,'Invalid request. Please do not repeat this request again.');
}
/**
* Lists all models.
*/
public function actionIndex()
{
$dataProvider=new CActiveDataProvider('Petsorganisation');
$this->render('index',array(
'dataProvider'=>$dataProvider,
));
}
/**
* Manages all models.
*/
public function actionAdmin()
{
$model=new Petsorganisation('search');
$model->unsetAttributes(); // clear any default values
if(isset($_GET['Petsorganisation']))
$model->attributes=$_GET['Petsorganisation'];
$this->render('admin',array(
'model'=>$model,
));
}
/**
* Returns the data model based on the primary key given in the GET variable.
* If the data model is not found, an HTTP exception will be raised.
* @param integer the ID of the model to be loaded
*/
public function loadModel($id)
{
$model=Petsorganisation::model()->findByPk((int)$id);
if($model===null)
throw new CHttpException(404,'The requested page does not exist.');
return $model;
}
/**
* Performs the AJAX validation.
* @param CModel the model to be validated
*/
protected function performAjaxValidation($model)
{
if(isset($_POST['ajax']) && $_POST['ajax']==='petsorganisation-form')
{
echo CActiveForm::validate($model);
Yii::app()->end();
}
}
protected function loadPet($petid)
{
//if the project property is null, create it based on input id
if($this->_pet===null)
{
$this->_pet=Pets::model()->findbyPk($petid);
if($this->_pet===null)
{
throw new CHttpException(404,'The requested pet does not exist.');
}
}
return $this->_pet;
}
public function filterPetContext($filterChain)
{
//set the project identifier based on either the GET or POST input
//request variables, since we allow both types for our actions
$petId = null;
if(isset($_GET['pid']))
$petId = $_GET['pid'];
else
if(isset($_POST['pid']))
$petId = $_POST['pid'];
$this->loadPet($petId);
//complete the running of other filters and execute the requested action
$filterChain->run();
}
}