0

我不知道控制器中模型创建者的访问规则的最佳方法。我通常这样使用:

public function accessRules() {
    return array(
       ...

        array('allow', // allow authenticated user to perform 'create' and 'update' actions
            'actions' => array('docrop', 'cropimages','upload','setting','updateprivacy','updateuser','changepassword'),
            'expression' => array($this,'isCreator'),
        ),
       ... 

    );
}

然后在那个控制器中我使用这个函数来检查正确的访问规则

 public function isCreator(){
    $hasil=false;
    if(isset($_GET['id'])){
        $idUser=$_GET['id'];
        $hasil=$idUser==Yii::app()->user->id?true:false;
    }
    return $hasil;
 }

然后,如果我想创建 url,我总是在该 url 中使用 id 参数。这是最好的方法吗?还是有比这更好的替代方法?

4

1 回答 1

0

Your current approach would allow users to change the id in the url, giving them access to all actions. If you really would like to keep this method, I suggest using some kind of hashing method to make it less brute-forceable in combination with e.g. his ip address for more security: $hashFromUrl == md5(Yii::app()->user->id . CHttpRequest::getUserHostAddress()). Nonetheless I discourage this approach.

As the method is called isCreator(), I assume that you want to check whether the current user is the creator/author of an existing model in the database. Can't you use a creatorId field for this model to compare against the current user's id? No client side hacks are required then.

于 2013-02-10T20:52:06.297 回答