Yii Framework Forum: Chapter 7 ( User Roles Not Working ) - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Chapter 7 ( User Roles Not Working )

#1 User is offline   trance 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 43
  • Joined: 26-February 13

Posted 12 May 2013 - 12:19 PM

Hello, I like your book but I am stuck on chapter 7.

Some of the tasks of the chapter 7 are :

- Ensure our role and permission structure exists on a per-project basis (that is,
allow users to have different permissions within different projects)

- Implement the necessary authorization access checking throughout the
application to appropriately grant or deny access to the application user
based on their permissions

Authorization checking based on user roles in specific project is not working. Even if you try that on online TrackStar application TrackStar

For example: If you are User One, and you create some project, and asign User Two to be a reader, User Two will be able to update project and he shouldn't be.

Question is : how we can fix this ?

Thanks
0

#2 User is offline   trance 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 43
  • Joined: 26-February 13

Posted 13 May 2013 - 12:14 PM

Okay, I have figured out how I can prevent users who are not the owners of some specific project to do delete and update functionality. Example is given in the book and I have used it like this:

In update and delete actions in Project controller I have placed this code
		$project = $this->loadModel($id);
		if(!Yii::app()->user->checkAccess('owner', array('project'=>$project)))
		{
			throw new CHttpException(403,'You are not authorized to perform this action.');
		}


Now I am stuck with something else. I would like to prevent readers from updating, creating and deleting Issues of the Projects. I tried with the same approach like with the projects but it does not work.

Also it would be nice to make sure that users can update only issues they posted. Unfortunately this is not the case now. Anyone can delete and update everyone's issues.

Do anyone have any idea how we can do this ?

EDIT: This is how I display the menu:
if(Yii::app()->user->checkAccess('owner',array('project'=>$model)))
{
	$this->menu = array(
        array('label'=>'List Project', 'url'=>array('index')),
        array('label'=>'Create Project', 'url'=>array('create')),        
        array('label'=>'Update Project', 'url'=>array('update', 'id'=>$model->id)),
        array('label'=>'Delete Project', 'url'=>'#', 'linkOptions'=>array('submit'=>array('delete','id'=>$model->id),'confirm'=>'Are you sure you want to delete this item?')),
        array('label'=>'Manage Project', 'url'=>array('admin')),
        array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),        
        array('label'=>'Add User To Project', 'url'=>array('adduser', 'id'=>$model->id)), 
    ); 
}
elseif(Yii::app()->user->checkAccess('member',array('project'=>$model)))
{
	$this->menu = array(
        array('label'=>'List Project', 'url'=>array('index')),
        array('label'=>'Create Project', 'url'=>array('create')),        
        array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),
    );    
}
else
{
    $this->menu = array(
        array('label'=>'List Project', 'url'=>array('index')),
        array('label'=>'Create Project', 'url'=>array('create')),
    );    
}


But the problem is if reader try to access the create issue form by typing the direct link like http://localhost/tra...ue/create&pid=3, he will be able to create issue and he shouldn't.

What I have to do to prevent this ?
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users