限制用户访问他们自己的数据 [英] Restricting user to their own data

问题描述

我在我正在开发的网站上遇到限制用户访问他们自己数据的问题.

I'm facing problem of restricting a user to their own data on the site I'm developing.

目前所有用户都可以访问所有其他用户数据.

Currently all users can access all other users data.

我在网上找到了这个片段:

I found this snippet on the web:

public function defaultScope() {
        return array(
            'condition' => 'mob_num = '.YII::app()->user->getId(), // Customer can see only his orders
        );
    }

当我的列是整数时，这可以正常工作，但如果它是字符串，则会出现以下错误:

This works fine when my column is an integer, but if it is a string it gives me following error:

CDbCommand failed to execute the SQL statement: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'name' in 'where clause'. The SQL statement executed was: SELECT COUNT(*) FROM `mob_reg` `t` WHERE name = shayan 

public function authenticate()
    {
        /*$users=array(
            // username => password
            'demo'=>'demo',
            'admin'=>'admin',
        );*/
          //  $users= Auth::model()->findByPk("8951821861");
            $users = Auth::model()->findByAttributes(array('company'=>$this->username)); 

            if($users == NULL)
                $this->errorCode=self::ERROR_USERNAME_INVALID;
            else if ($users->name != $this->username)
                $this->errorCode=self::ERROR_USERNAME_INVALID;
            else if ($users->company != $this->password)
                $this->errorCode=self::ERROR_PASSWORD_INVALID;

            else if($users->company=='naga')
            {
                $this->errorCode=self::ERROR_NONE;
                $this->setState('roles', 'super');
                 $this->id=$users->company;
            }
            else {
                 $this->errorCode=self::ERROR_NONE;
                $this->setState('roles', 'normal');
                 $this->id=$users->company;
            }

            return !$this->errorCode;
    /*  if(!isset($users[$this->username]))
            $this->errorCode=self::ERROR_USERNAME_INVALID;
        elseif($users[$this->username]!==$this->password)
            $this->errorCode=self::ERROR_PASSWORD_INVALID;
        else
            $this->errorCode=self::ERROR_NONE;
        return !$this->errorCode;*/
    }
        public function getid()
        {
            return $this->id;
        }

推荐答案

首先，我不会使用 defaultScope，因为这会阻止您以后可能想要添加的其他用例，例如计算其他人的统计数据以某种方式与当前用户相关，例如我最常打电话给谁等.

First and foremost, I wouldn't use defaultScope, because that prevents other use cases that you might later want to add, like calculating statistics of other people that are somehow related to the current user, e.g. who is the person I call most often to etc.

所以我认为你应该在像这样查找数据时添加额外的限制:

So I think you should just add additional restriction whenever you are looking up data like so:

$orders = Orders::model()->findByAttributes(array('name' => user()->getid()));

如果你真的想坚持使用 defaultScope，你需要正确引用 name，使用参数是要走的路:

If you really want to stick with defaultScope, you need to properly quote name, using parameters is the way to go:

public function defaultScope()
{
    return array(
        'condition' => "name=?",
        'params' => array(user()->getid()),
    );
}

当然，您不希望将用户名存储在订单表中，但那是另一回事了.

Of course you don't want user's name stored in your order table, but that's another story.

这篇关于限制用户访问他们自己的数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！