How does the code below (p. 268) work? Is it definitely correct? Can someone walk me through this?
In actionSetup (A): Why is updateUser a child of updateOwnUser? Doesn't that mean anyone who can update his/her OWN user info can also update anyone else's?
In the controller (: Why is checkAccess (array('id' => $id)) used on updateUser instead of updateOwnUser? Does updateUser even use the ID parameter?
Please help - thanks...
Quite confused!
Code A:
# protected/controllers/SiteController.php::actionSetup()
$auth = Yii::app()->authManager;
// Create operations.
$task = $auth->createTask('updateOwnUser',
'Allows a user to update her record',
'return $params["id"] == Yii::app()->user->id;');
$task->addChild('updateUser');
Code B:
# protected/controllers/UserController.php
public actionUpdate($id) {
$model=$this->loadModel($id);
if (!Yii::app()->user->checkAccess('updateUser',
array('id' => $id))) {
throw new CHttpException(403,
'You are not allowed to do this.');
}
// Code for doing this.
}