nah ID nomor 1 ini kan bisa dengan mudah diganti di url, meskipun kita bisa menyembunyikan agar tidak terlihat di url bisa dengan hidden atau pun di form action nya
Caranya dengan mencocokkan id author di artikelnya (author_id) dengan id user yang sedang login (Yii::app()->user->id),
saya ada contohnya tapi untuk menghapus Post, pencariannya bagian find(‘id=:pid AND author_id=:aid’, array(’:pid’ => $_GET[‘id’], ‘:aid’ => Yii::app()->user->id))
public function actionDelete() {
if (Yii::app()->request->isPostRequest) {
if (isset($_GET['id'])) {
$post = Post::model()->find('id=:pid AND author_id=:aid', array(':pid' => $_GET['id'], ':aid' => Yii::app()->user->id));
if ($post === null) {
throw new CHttpException(404, 'The requested page does not exist.');
}
$post->delete();
}
$this->redirect(array('/'));
}
else throw new CHttpException(400, 'Invalid request. Please do not repeat this request again.');
}
dengan catatan pada saat login, id user (dari database) disimpan ke UserIdentity, contohnya lihat bagian $this->_id = $user->id kode di bawah. getId() dioverride karena defaultnya mengembalikan nilai ‘username’, bukan ‘id’.
<?php
/**
* UserIdentity represents the data needed to identity a user.
* It contains the authentication method that checks if the provided
* data can identity the user.
*/
class UserIdentity extends CUserIdentity {
private $_id;
public $email;
public $password;
public function __construct($email, $password) {
$this->email = $email;
$this->password = $password;
}
public function authenticate() {
$email = strtolower($this->email);
$user = User::model()->find('LOWER(email)=?', array($email));
if ($user === null) {
$this->errorCode = self::ERROR_USERNAME_INVALID;
}
elseif (!$user->hasPassword($this->password)) {
$this->errorCode = self::ERROR_PASSWORD_INVALID;
}
else {
$this->_id = $user->id; // simpan id ke UserIdentity
$this->username = $user->email;
$this->errorCode = self::ERROR_NONE;
}
return $this->errorCode;
}
public function getId() {
return $this->_id;
}
}