Access rules restriction in yii

Question

In my account model, I have an attribute called account_type_id upon registration if the user chooses his account to be an Admin account then it is set to 1 if however the user will be just an ordinary user it is set to 2 how do I change the access rules so that only the ones which are set to 1 can update or delete?

this is a sample of my code

 public function accessRules()
{
    $account=Account::model()->FindAll();
    return array(
        array('allow',  // allow all users to perform 'index' and 'view' actions
            'actions'=>array('index','view'),
            'users'=>array('*'),
        ),
        array('allow', // allow authenticated user to perform 'create' and 'update' actions
            'actions'=>array('create'),
            'users'=>array('@'),
        ),
        array('allow',
            'action'=>array('update', 'delete', 'admin'),
            'expression'=>"{$account->account_type_id}==1",
            ),
        array('deny',  // deny all users
            'users'=>array('*'),
        ),
    );
}

you want to add rule for new user type for update and delete? — Deenadhayalan Manoharan, Mar 05 '15 at 06:25
What is your problem now? {$account->account_type_id}==1 not working? — hamed, Mar 05 '15 at 07:41

score 0 · Answer 1 · answered Mar 05 '15 at 07:11

You might have to implement something like this wiki or this one

So your access rules looks something like this:

// for access rules
return array(
      array('allow', 
        'actions'=>array('update','delete','admin'),
        'expression'=>'$user->isAdmin()'
      ),
// ...

score 0 · Accepted Answer · answered Mar 05 '15 at 08:21

I think your code has one problem: Your $account is a array of objects, so you can't use $account->account_type_id. This has no meaning. User table should have a account_type_id field. So you can access the account_type_id of the logged in user anywhere in your application. You can try this:

array('allow',
        'action'=>array('update', 'delete', 'admin'),
        'expression'=> array('AccessControl','allowAdminOnly'),
        ),

Then you need to define AccessControl class and allowAdminOnly function in that class. AccessControl could be anywhere, for example in your extensions folder. Note allowAdminOnly muse return true or false. AccessControl should be like this:

class AccessControl{

   public function allowAdminOnly()
   {
      if(Yii::app()->user->account_type_id == 1)
        return true;
      else
        return false;
   }
}

just one question though, do I really need to transfer the account_type_id to the user table? — shychotc, Mar 05 '15 at 13:10
Yes, You should add that field to the user table and add reference from it to the user_id field. — hamed, Mar 05 '15 at 13:30

Access rules restriction in yii

2 Answers2