How to check access of the model creator in Controller in yii?

Question

I don't know the best approach for access rules of the creator of model in the controller. I usually using like this :

public function accessRules() {
    return array(
       ...

        array('allow', // allow authenticated user to perform 'create' and 'update' actions
            'actions' => array('docrop', 'cropimages','upload','setting','updateprivacy','updateuser','changepassword'),
            'expression' => array($this,'isCreator'),
        ),
       ... 

    );
}

And then in that controller I'm using this function to check the correct access rules

 public function isCreator(){
    $hasil=false;
    if(isset($_GET['id'])){
        $idUser=$_GET['id'];
        $hasil=$idUser==Yii::app()->user->id?true:false;
    }
    return $hasil;
 }

And then If I want to create the url I always use the id parameter in that url. Is this the best approach? Or there is an alternative ways that better than this?

You can use RBAC. Check http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#role-based-access-control — dInGd0nG, Feb 03 '13 at 11:45

score 0 · Answer 1 · answered Feb 10 '13 at 20:52

Your current approach would allow users to change the id in the url, giving them access to all actions. If you really would like to keep this method, I suggest using some kind of hashing method to make it less brute-forceable in combination with e.g. his ip address for more security: $hashFromUrl == md5(Yii::app()->user->id . CHttpRequest::getUserHostAddress()). Nonetheless I discourage this approach.

As the method is called isCreator(), I assume that you want to check whether the current user is the creator/author of an existing model in the database. Can't you use a creatorId field for this model to compare against the current user's id? No client side hacks are required then.

How to check access of the model creator in Controller in yii?

1 Answers1