I am a new Yii user, I have started using Yii 1.1.6.
Since I have read the OWASP top ten vulnerabilities, I concerned about the security of web applications. I started building a simple application to prevent those provided vulnerabilities from OWASP top ten. I could manage the SQL injecten, broken authentication and session management, and XSS vulnerabilities. I am trying to protect my Yii simple application against insecure direct object references flaws.
What I actually want to do is, when a user logs in, he/she should be able to view only his/her profile page. Right now if a user logs in, the user can create, update, view all user as well as the profile of each user. How can I control this using access rules method? for example, if I change the URL: framework/yii/index.php/users/12 to framework/yii/index.php/users/14, it will display the other user profile as well.
I am not even sure whether I can control it with access rules. I hope I could explain properly.