0

I'm facing problem of restricting a user to their own data on the site I'm developing.

Currently all users can access all other users data.

I found this snippet on the web:

public function defaultScope() {
        return array(
            'condition' => 'mob_num = '.YII::app()->user->getId(), // Customer can see only his orders
        );
    }

This works fine when my column is an integer, but if it is a string it gives me following error:

CDbCommand failed to execute the SQL statement: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'name' in 'where clause'. The SQL statement executed was: SELECT COUNT(*) FROM `mob_reg` `t` WHERE name = shayan 

public function authenticate()
    {
        /*$users=array(
            // username => password
            'demo'=>'demo',
            'admin'=>'admin',
        );*/
          //  $users= Auth::model()->findByPk("8951821861");
            $users = Auth::model()->findByAttributes(array('company'=>$this->username)); 

            if($users == NULL)
                $this->errorCode=self::ERROR_USERNAME_INVALID;
            else if ($users->name != $this->username)
                $this->errorCode=self::ERROR_USERNAME_INVALID;
            else if ($users->company != $this->password)
                $this->errorCode=self::ERROR_PASSWORD_INVALID;

            else if($users->company=='naga')
            {
                $this->errorCode=self::ERROR_NONE;
                $this->setState('roles', 'super');
                 $this->id=$users->company;
            }
            else {
                 $this->errorCode=self::ERROR_NONE;
                $this->setState('roles', 'normal');
                 $this->id=$users->company;
            }

            return !$this->errorCode;
    /*  if(!isset($users[$this->username]))
            $this->errorCode=self::ERROR_USERNAME_INVALID;
        elseif($users[$this->username]!==$this->password)
            $this->errorCode=self::ERROR_PASSWORD_INVALID;
        else
            $this->errorCode=self::ERROR_NONE;
        return !$this->errorCode;*/
    }
        public function getid()
        {
            return $this->id;
        }
Nathaniel Ford
  • 20,545
  • 20
  • 91
  • 102
Nagashayan
  • 2,487
  • 2
  • 18
  • 22
  • Did you even read the error message? It says in plain text that you're trying to query a column that doesn't exist. Does the `mob_reg` table *have* a column named `name`? – DCoder Sep 02 '13 at 06:11
  • The next problem after that will be the fact that you're not quoting the username when you put it into the query. Use a bind param instead of inserting it directly. – DCoder Sep 02 '13 at 06:14
  • the column name exists that is not a problem and yes can you show me how to quote username? – Nagashayan Sep 02 '13 at 06:26
  • 1
    You should post the actual code you are using, not code that you found and used as inspiration... `public function defaultScope() { return array( 'condition' => 'name = :name', 'params' => array(':name' => ...), ); }` – DCoder Sep 02 '13 at 06:40

1 Answers1

0

First and foremost, I wouldn't use defaultScope, because that prevents other use cases that you might later want to add, like calculating statistics of other people that are somehow related to the current user, e.g. who is the person I call most often to etc.

So I think you should just add additional restriction whenever you are looking up data like so:

$orders = Orders::model()->findByAttributes(array('name' => user()->getid()));

If you really want to stick with defaultScope, you need to properly quote name, using parameters is the way to go:

public function defaultScope()
{
    return array(
        'condition' => "name=?",
        'params' => array(user()->getid()),
    );
}

Of course you don't want user's name stored in your order table, but that's another story.

Martin Komara
  • 767
  • 6
  • 9