[Updateownuser]

How does the code below (p. 268) work? Is it definitely correct? Can someone walk me through this? 

 

In actionSetup (A): Why is updateUser a child of updateOwnUser? Doesn't that mean anyone who can update his/her OWN user info can also update anyone else's? 

 

In the controller (: Why is checkAccess (array('id' => $id)) used on updateUser instead of updateOwnUser? Does updateUser even use the ID parameter?

 

Please help - thanks...

Quite confused!

 

 

Code A:

 

# protected/controllers/SiteController.php::actionSetup()

$auth = Yii::app()->authManager;

// Create operations.

$task = $auth->createTask('updateOwnUser',

'Allows a user to update her record',

'return $params["id"] == Yii::app()->user->id;');

$task->addChild('updateUser');

 

Code B:

 

# protected/controllers/UserController.php

public actionUpdate($id) {

$model=$this->loadModel($id);

if (!Yii::app()->user->checkAccess('updateUser',

array('id' => $id))) {

throw new CHttpException(403,

'You are not allowed to do this.');

}

// Code for doing this.

}

 

 

[Setup Script For The Authmanager Only Adds Some Entries To Database]

You've got:

$task=addChild(....);

...

$role=addChild(....);

 

Try this:

$task->addChild(....);

...

$role->addChild(....);