how can I limit user's access to information of their profile in YII framework

Question

how can i limit user's access to information of others.

I've tried controller for Users and they can access to index of controller for other user. please describe me how to change setting in YII framework that each User just can access to their information.

i am using version 1.1.X

my Here again, I've got my previous problem i want them to see only their note

<?php

class TextController extends Controller
{
    /**
     * @var string the default layout for the views. Defaults to '//layouts/column2', meaning
     * using two-column layout. See 'protected/views/layouts/column2.php'.
     */
    public $layout='//layouts/column2';

    /**
     * @return array action filters
     */
    public function filters()
    {
        return array(
            'accessControl', // perform access control for CRUD operations
            'postOnly + delete', // we only allow deletion via POST request
        );
    }

    /**
     * Specifies the access control rules.
     * This method is used by the 'accessControl' filter.
     * @return array access control rules
     */
    public function accessRules()
    {
        return array(
            array('allow',  // allow all users to perform 'index' and 'view' actions
                'actions'=>array('index','view'),
                'users'=>array('*'),
            ),
            array('allow', // allow authenticated user to perform 'create' and 'update' actions
                'actions'=>array('create','update'),
                'users'=>array('@'),
            ),
            array('allow', // allow admin user to perform 'admin' and 'delete' actions
                'actions'=>array('admin','delete'),
                'users'=>array('admin'),
            ),
            array('deny',  // deny all users
                'users'=>array('*'),
            ),
        );
    }

    /**
     * Displays a particular model.
     * @param integer $id the ID of the model to be displayed
     */
    public function actionView($id)
    {
        $this->render('view',array(
            'model'=>$this->loadModel($id),
        ));
    }

    /**
     * Creates a new model.
     * If creation is successful, the browser will be redirected to the 'view' page.
     */
    public function actionCreate()
    {
        $model=new Text;

        // Uncomment the following line if AJAX validation is needed
        // $this->performAjaxValidation($model);

        if(isset($_POST['Text']))
        {
            $model->attributes=$_POST['Text'];
            if($model->save())
                $this->redirect(array('view','id'=>$model->id));
        }

        $this->render('create',array(
            'model'=>$model,
        ));
    }

    /**
     * Updates a particular model.
     * If update is successful, the browser will be redirected to the 'view' page.
     * @param integer $id the ID of the model to be updated
     */
    public function actionUpdate($id)
    {
        $model=$this->loadModel($id);

        // Uncomment the following line if AJAX validation is needed
        // $this->performAjaxValidation($model);

        if(isset($_POST['Text']))
        {
            $model->attributes=$_POST['Text'];
            if($model->save())
                $this->redirect(array('view','id'=>$model->id));
        }

        $this->render('update',array(
            'model'=>$model,
        ));
    }

    /**
     * Deletes a particular model.
     * If deletion is successful, the browser will be redirected to the 'admin' page.
     * @param integer $id the ID of the model to be deleted
     */
    public function actionDelete($id)
    {
        $this->loadModel($id)->delete();

        // if AJAX request (triggered by deletion via admin grid view), we should not redirect the browser
        if(!isset($_GET['ajax']))
            $this->redirect(isset($_POST['returnUrl']) ? $_POST['returnUrl'] : array('admin'));
    }

    /**
     * Lists all models.
     */
    public function actionIndex()
    {
        $dataProvider=new CActiveDataProvider('Text');
        $this->render('index',array(
            'dataProvider'=>$dataProvider,
        ));
    }

    /**
     * Manages all models.
     */
    public function actionAdmin()
    {
        $model=new Text('search');
        $model->unsetAttributes();  // clear any default values
        if(isset($_GET['Text']))
            $model->attributes=$_GET['Text'];

        $this->render('admin',array(
            'model'=>$model,
        ));
    }

    /**
     * Returns the data model based on the primary key given in the GET variable.
     * If the data model is not found, an HTTP exception will be raised.
     * @param integer $id the ID of the model to be loaded
     * @return Text the loaded model
     * @throws CHttpException
     */
    public function loadModel($id)
    {
        $model=Text::model()->findByPk($id);
        if($model===null)
            throw new CHttpException(404,'The requested page does not exist.');
        return $model;
    }

    /**
     * Performs the AJAX validation.
     * @param Text $model the model to be validated
     */
    protected function performAjaxValidation($model)
    {
        if(isset($_POST['ajax']) && $_POST['ajax']==='text-form')
        {
            echo CActiveForm::validate($model);
            Yii::app()->end();
        }
    }
}

Limits for Show is solved. But User through the URL can access the notes made ​​by others To do this, give that person can change the top number Then he can have access to other user information What can I do for this problem?

Answer 1

you need to add the criteria to your dataprovider as follows (make sure that the field name in the database is user_id, if not, you need to change it in the snippet)

  public function actionIndex()
{
    $dataProvider=new CActiveDataProvider('Text',array(
        'criteria' => array(
            'condition' => 'user_id=:user_id',
            'params' => array(':user_id' => Yii::app()->User->id),);
    $this->render('index',array(
        'dataProvider'=>$dataProvider,
    ));
}

Answer 2

Check by user id. u can get logged in user's ID by Yii::app()->user->id. in search function of your model just add below the line if your data provider use this search function

$criteria->compare('id',Yii::app()->user->id);

I think it Will fill your requirement.

Answer 3

Ibrahim's answer works for the Index. I did mine a little differently:

public function actionIndex()
    {
        $criteria = new CDbCriteria();
        $criteria->compare('user_id', Yii::app()->user->id);
        $dataProvider=new CActiveDataProvider('UserExpenses', array('criteria'=>$criteria));

        $this->render('index',array(
            'dataProvider'=>$dataProvider,
        ));
    }

If you want to block specific IDs, that would the the actionDelete, actionUpdate, actionView, etc. Make each of them similar to this:

public function actionView($id)
{
    $thismodel = $this->loadModel($id);
    if($thismodel->user_id != Yii::app()->user->id)
        $this->redirect(array('index'));
    else
        $this->render('view',array(
            'model'=>$this->loadModel($id),
        ));
}

Also, in the model, you will want to modify the search() to have the same compare condition, or that will show all of them as well. You may want to show all of them in some instances, as it's used by the actionAdmin.