I've seen many tickets regarding how to show friendly delete confirmation using CGridView's CButtonColumn in ajax request. If you are using relational database, after producing CRUD functionality when you try to delete a record in ajax mode which has child record it can't be deleted and you can see the ajax loader forever. By this way you can't show the users if a record has been successfully deleted or if there are some problem in flash style (setFlash() / getFlash())
This article is called extended guide is because there is already a security guide in the Yii tutorial security section. but that guide is not complete in the sense that it does not rise the developers' attention to some other commonly happening attacks: SQL injection and magic URL, which can be major vulnerabilities in your application without much caring.
Sometimes we get lost trying to search by a HAS_MANY relation using CActiveRecord or CActiveDataProvider. This article is a series of drills that try to describe the practical techniques of searching by a HAS_MANY relation.