I am trying to limit users’ access to data depending on their membership in a group. If the data belongs to the same group as the user, then the user has access to the data.
Where is the best place to implement the check for users’ access to data? I am thinking that I should add some sort of catch-all check in the model. Does anyone have any ideas on how to do this?
I am going to answer my own question. I think I need a filter.
http://www.yiiframework.com/doc/guide/1.1/en/basics.controller#filter
For retrieving data its convenient to use a defaultScope or scope to limit the data returned by your criteria. For updating/deleting you will need another method.
Good idea. Thanks.
Whether you’re talking about developers or users of the applications, I recommend you do a basic check in the Yii class auto-loader to determine if the current user is authorized for access to a given model.
In your index.php, after the YiiBase class is loaded and before the main application class is invoked, unload the Yii default autoloader (using spl_autoload_unregister) and replace it with your own (using spl_autoload_register). Just copy the logic from the default one, and add your security checks before the class is brought into scope. Look in YiiBase.php for their usage of these two commands to get a hint.
For an example on where to replace the Yii auto-loader:
<?php
$yii=dirname(FILE).’/../../yii/framework/yii.php’;
$config=dirname(FILE).’/protected/config/main.php’;
require_once($yii);
//>> replace the Yii autoloader, here.
Yii::createWebApplication($config)->run();
Dustin Oprea