如何限制用户访问其他人的信息。
我为用户尝试过控制器,他们可以访问其他用户的控制器索引。请描述如何在YII框架中更改每个用户只能访问其信息的设置。
我使用的是版本1.1.X
我再来一次,我已经遇到了我以前的问题 我希望他们只看到他们的笔记
<?php
class TextController extends Controller
{
/**
* @var string the default layout for the views. Defaults to '//layouts/column2', meaning
* using two-column layout. See 'protected/views/layouts/column2.php'.
*/
public $layout='//layouts/column2';
/**
* @return array action filters
*/
public function filters()
{
return array(
'accessControl', // perform access control for CRUD operations
'postOnly + delete', // we only allow deletion via POST request
);
}
/**
* Specifies the access control rules.
* This method is used by the 'accessControl' filter.
* @return array access control rules
*/
public function accessRules()
{
return array(
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view'),
'users'=>array('*'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create','update'),
'users'=>array('@'),
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete'),
'users'=>array('admin'),
),
array('deny', // deny all users
'users'=>array('*'),
),
);
}
/**
* Displays a particular model.
* @param integer $id the ID of the model to be displayed
*/
public function actionView($id)
{
$this->render('view',array(
'model'=>$this->loadModel($id),
));
}
/**
* Creates a new model.
* If creation is successful, the browser will be redirected to the 'view' page.
*/
public function actionCreate()
{
$model=new Text;
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['Text']))
{
$model->attributes=$_POST['Text'];
if($model->save())
$this->redirect(array('view','id'=>$model->id));
}
$this->render('create',array(
'model'=>$model,
));
}
/**
* Updates a particular model.
* If update is successful, the browser will be redirected to the 'view' page.
* @param integer $id the ID of the model to be updated
*/
public function actionUpdate($id)
{
$model=$this->loadModel($id);
// Uncomment the following line if AJAX validation is needed
// $this->performAjaxValidation($model);
if(isset($_POST['Text']))
{
$model->attributes=$_POST['Text'];
if($model->save())
$this->redirect(array('view','id'=>$model->id));
}
$this->render('update',array(
'model'=>$model,
));
}
/**
* Deletes a particular model.
* If deletion is successful, the browser will be redirected to the 'admin' page.
* @param integer $id the ID of the model to be deleted
*/
public function actionDelete($id)
{
$this->loadModel($id)->delete();
// if AJAX request (triggered by deletion via admin grid view), we should not redirect the browser
if(!isset($_GET['ajax']))
$this->redirect(isset($_POST['returnUrl']) ? $_POST['returnUrl'] : array('admin'));
}
/**
* Lists all models.
*/
public function actionIndex()
{
$dataProvider=new CActiveDataProvider('Text');
$this->render('index',array(
'dataProvider'=>$dataProvider,
));
}
/**
* Manages all models.
*/
public function actionAdmin()
{
$model=new Text('search');
$model->unsetAttributes(); // clear any default values
if(isset($_GET['Text']))
$model->attributes=$_GET['Text'];
$this->render('admin',array(
'model'=>$model,
));
}
/**
* Returns the data model based on the primary key given in the GET variable.
* If the data model is not found, an HTTP exception will be raised.
* @param integer $id the ID of the model to be loaded
* @return Text the loaded model
* @throws CHttpException
*/
public function loadModel($id)
{
$model=Text::model()->findByPk($id);
if($model===null)
throw new CHttpException(404,'The requested page does not exist.');
return $model;
}
/**
* Performs the AJAX validation.
* @param Text $model the model to be validated
*/
protected function performAjaxValidation($model)
{
if(isset($_POST['ajax']) && $_POST['ajax']==='text-form')
{
echo CActiveForm::validate($model);
Yii::app()->end();
}
}
}
Show的限制已解决。但是用户通过URL可以访问其他人做出的注释要做到这一点,请给那个人更改最高号码然后他可以访问其他用户信息我该怎么办?
答案 0 :(得分:2)
您需要将条件添加到数据提供者,如下所示(确保数据库中的字段名称是user_id,否则,您需要在代码段中更改它)
public function actionIndex()
{
$dataProvider=new CActiveDataProvider('Text',array(
'criteria' => array(
'condition' => 'user_id=:user_id',
'params' => array(':user_id' => Yii::app()->User->id),);
$this->render('index',array(
'dataProvider'=>$dataProvider,
));
}
答案 1 :(得分:0)
按用户ID检查。你可以登录用户的ID YII ::应用程序() - &GT;用户&GT;编号。 在您的模型的搜索功能中,如果您的数据提供者使用此搜索功能,则只需在该行下方添加
$criteria->compare('id',Yii::app()->user->id);
我认为这将满足您的要求。
答案 2 :(得分:0)
易卜拉欣的答案适用于指数。我做了一点不同的事情:
public function actionIndex()
{
$criteria = new CDbCriteria();
$criteria->compare('user_id', Yii::app()->user->id);
$dataProvider=new CActiveDataProvider('UserExpenses', array('criteria'=>$criteria));
$this->render('index',array(
'dataProvider'=>$dataProvider,
));
}
如果你想阻止特定的ID,那就是actionDelete,actionUpdate,actionView等。使它们中的每一个都与此类似:
public function actionView($id)
{
$thismodel = $this->loadModel($id);
if($thismodel->user_id != Yii::app()->user->id)
$this->redirect(array('index'));
else
$this->render('view',array(
'model'=>$this->loadModel($id),
));
}
此外,在模型中,您需要修改search()以使其具有相同的比较条件,或者也将显示所有这些条件。您可能希望在某些情况下显示所有这些内容,因为它是由actionAdmin使用的。