Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
DarkByte20152017-10-20 13:51:09
Yii
DarkByte2015, 2017-10-20 13:51:09

How to protect against unauthorized editing?

There is some article editing controller. How can I prevent the user from editing (and even viewing) other people's articles? And I do not want to write check in each method. There are a lot of them. I need to somehow check whether the user has access to the article before calling the action or not. It is possible to check certainly in beforeAction, here only to check?? For example, there is an actionDeleteFile method that deletes an article file. But I don't pass the article id to it, because why? This method only needs to know the id of the file.
So now I have, as it were, any user can change other people's articles. It is not good.
PS The only solution I see so far is to pass it to each action, even where it does not require the article id, and in beforeAction somehow pull this id out of the URL and if the user does not have the right to edit, send it to three letters. :D

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
DarkByte2015, 2017-10-20
@DarkByte2015

Decided so

private function checkAccess($article_id) {
  $article = Article::findOne($article_id);
  $user = Yii::$app->user;

  if ($article->user_id !== $user->id && !$user->can('editor'))
    throw new ForbiddenHttpException("Вы не имеете доступа к этой статье!");
}

And in every action I pull it. I remembered that it is not at all necessary to pass article_id, because almost all models have direct or indirect access to it. Even the files can be obtained by an additional request on the author's FK connection, and he already has an article_id. I will probably stop at this option. It seems like nothing better can be done.

Report
M
Maxim Timofeev, 2017-10-20
@webinar

You have a certain author identifier, let's say author_id
And there is an action in which an article is requested. Who prevents to add to the condition
For example:

public function actionView($id){
    if($model = Article::find()
                        ->andWhere(['author_id'=>Yii::$app->user->id])
                        ->andWhere(['id'=>$id])
                        ->one()){
       return $this->render('view',['model'=>$model])
    }
    throw new ForbiddenHttpExceptionn('Ты сюда не ходи, снег башка попадет');
}

Similar questions
Y
Yura Mailler2021-04-01 17:40:00
How to hide buttons in a VK bot and enable others? 3Reply
H
Hello America2018-12-03 17:19:49
How to generate MySQL tables from existing Yii v1.1.14 models? 1Reply
S
SwoDs2016-07-05 18:35:36
How to updateAll yii2 if the table has a composite key? 1Reply
T
teodor7teodor72016-07-06 11:43:27
How to validate and submit data using yiiActiveForm? 0Reply
S
SeokkySss2018-12-05 10:58:14
How to embed Vue into an existing Yii project? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question