Best way to implement security on records that only can be seen by creator

[MarcoDuizer]

I have an application where users can create their event online. then they can plan the event and do all kind of things with it. The requirement is that only the user that created the event (and user id is stored in the event record) can see their event and edit and delete it. I use RBAC in de DB version with the (mdmsoft/yii2-admin) extension to deny access to all controllers (only not the site controller that handles the anonymous part of the website). But that doesn't help for the access to their own data security. Is it best practice to implement the filtering of the data in the Model definition so all controllers will always get data that the user is allowed to see? Or is it better to use rules from RBAC and implement it at controller level? I tried to get rules in the DB to work but i could get a rule in the database. Followed the documentation but even with that step by step i cant get it to work.

So bottom line, what is best practice with yii 2.0 to let users only see their own data for a specific model?

Q	A
Yii version	2.0.13.1
PHP version	7.1.8
Operating system	Mac OsX

[njasm]

@MarcoDuizer it depends on your requirements. What you talking here is not really about authorization but more like Data filtering with this in mind one simple solution is to add a method to your ModelQueryobject and change all your queries on that model and search methods (for grids).

Example 1:

// ModelQuery.php
public function creator() 
{
    $this->andWhere(['UserID' => Yii::$app->getUser()->getId()]);
    return this;
}

 //code on other places of your application
$values = Model::find()->creator()->where(...)->all();

Would suffice according to your post, but let me tell you that in a real world application, this implementation is very naive and will not get you far.

In a real world app, you probably have Teams, and a Team Leader, or Director that must be allowed to see and possible update all the Modelrecords created by an element of his team.

And here, you'll probably better if you jump start with RBAC plus Rules. read about RBAC Rules, those are like business specifications or constraints : http://www.yiiframework.com/doc-2.0/yii-rbac-rule.html

[MarcoDuizer]

Hi, Thanks for your quick response. I want to go for the rule part. I have everything installed and the authorization is working, but i cant get the rules to work. I tried what is in the documentation, but somehow i get stuck. i use the DB version of the implementation and adding users , roles and permissions. adding the rule to make the authorization based upon user is where i get stuck. Can you maybe give me some help with an example of what i need to do to get it to work? I started with the advanced template. and added the yii2-admin plugin. I just need a simple example on what to put in the code part and how i can use that in de database for auth_rule so i can use it to setup the authorization structure further. And thanks again, because my mind is breaking at the moment ;-).

[njasm]

an example exists for what you want i believe, check here : http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#using-rules

[MarcoDuizer]

i tried that option, do i need to create the RbacController too to make it work if i use the DB version? And what is best practice for folder structure for the rules? Make a rule file for all rules or a rule file per controller?

[yii-bot]

Thank you for your question. In order for this issue tracker to be effective, it should only contain bug reports and feature requests.

We advise you to use our community driven resources:

• The support forum
• The IRC chat room
• The Gitter chat room
• The Definitive Guide to Yii

If you are confident that there is a bug in the framework, feel free to provide information on how to reproduce it. This issue will be closed for now.

This is an automated comment, triggered by adding the label question.

[MarcoDuizer]

@njasm i created a request on the forum, get an error when i did all the steps, can you please check and see if you can help me with it?