Chapter 7 ( User Roles Not Working )

Archives Web Application Development With Yii And PHP
1

Hello, I like your book but I am stuck on chapter 7.

Some of the tasks of the chapter 7 are :

  • Ensure our role and permission structure exists on a per-project basis (that is,

allow users to have different permissions within different projects)

  • Implement the necessary authorization access checking throughout the

application to appropriately grant or deny access to the application user

based on their permissions

Authorization checking based on user roles in specific project is not working. Even if you try that on online TrackStar application TrackStar

For example: If you are User One, and you create some project, and asign User Two to be a reader, User Two will be able to update project and he shouldn’t be.

Question is : how we can fix this ?

Thanks

2

Okay, I have figured out how I can prevent users who are not the owners of some specific project to do delete and update functionality. Example is given in the book and I have used it like this:

In update and delete actions in Project controller I have placed this code




		$project = $this->loadModel($id);

		if(!Yii::app()->user->checkAccess('owner', array('project'=>$project)))

		{

			throw new CHttpException(403,'You are not authorized to perform this action.');

		}

Now I am stuck with something else. I would like to prevent readers from updating, creating and deleting Issues of the Projects. I tried with the same approach like with the projects but it does not work.

Also it would be nice to make sure that users can update only issues they posted. Unfortunately this is not the case now. Anyone can delete and update everyone’s issues.

Do anyone have any idea how we can do this ?

EDIT: This is how I display the menu:




if(Yii::app()->user->checkAccess('owner',array('project'=>$model)))

{

	$this->menu = array(

        array('label'=>'List Project', 'url'=>array('index')),

        array('label'=>'Create Project', 'url'=>array('create')),        

        array('label'=>'Update Project', 'url'=>array('update', 'id'=>$model->id)),

        array('label'=>'Delete Project', 'url'=>'#', 'linkOptions'=>array('submit'=>array('delete','id'=>$model->id),'confirm'=>'Are you sure you want to delete this item?')),

        array('label'=>'Manage Project', 'url'=>array('admin')),

        array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),        

        array('label'=>'Add User To Project', 'url'=>array('adduser', 'id'=>$model->id)), 

    ); 

}

elseif(Yii::app()->user->checkAccess('member',array('project'=>$model)))

{

	$this->menu = array(

        array('label'=>'List Project', 'url'=>array('index')),

        array('label'=>'Create Project', 'url'=>array('create')),        

        array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),

    );    

}

else

{

    $this->menu = array(

        array('label'=>'List Project', 'url'=>array('index')),

        array('label'=>'Create Project', 'url'=>array('create')),

    );    

}

But the problem is if reader try to access the create issue form by typing the direct link like http://localhost/trackstar/index.php?r=issue/create&pid=3, he will be able to create issue and he shouldn’t.

What I have to do to prevent this ?