Jump to content
Larry Ullman's Book Forums

kakooljay
 Share

Recommended Posts

How does the code below (p. 268) work? Is it definitely correct? Can someone walk me through this? 
 
In actionSetup (A): Why is updateUser a child of updateOwnUser? Doesn't that mean anyone who can update his/her OWN user info can also update anyone else's? 
 
In the controller (B): Why is checkAccess (array('id' => $id)) used on updateUser instead of updateOwnUser? Does updateUser even use the ID parameter?
 
Please help - thanks...
Quite confused!
 
 
Code A:
 
# protected/controllers/SiteController.php::actionSetup()
$auth = Yii::app()->authManager;
// Create operations.
$task = $auth->createTask('updateOwnUser',
'Allows a user to update her record',
'return $params["id"] == Yii::app()->user->id;');
$task->addChild('updateUser');
 
Code B:
 
# protected/controllers/UserController.php
public actionUpdate($id) {
$model=$this->loadModel($id);
if (!Yii::app()->user->checkAccess('updateUser',
array('id' => $id))) {
throw new CHttpException(403,
'You are not allowed to do this.');
}
// Code for doing this.
}
 

 

Link to comment
Share on other sites

 Share

×
×
  • Create New...