Yii / Yii2 checking controller params at the access control level

One of the areas I notice in a lot of Yii / Yii 2 web applications is the checking of parameter variables in what I consider the wrong areas.

Here is an example of one of my controller methods for saving a Book …

So what stands out about this method? No load Model method? No checking to see whether the Book has a valid ID? How will we know whether the Book has a valid ID, how will we know whether the Book is suppose to be accessed by the particular user that is logged into the system?

The answer is, the access rules and bizrules of the web software application. All controller methods should be assigned to an access rule. If the controller method contains parameters then the controller method should be assigned to an access rule as well as a bizrule.

For smaller / less complex applications you can actually emulate the bizrule by using “matchCallback” which is spoken about in this article I wrote previously …

http://www.jamesbarnsley.com/site/2017/06/13/yii-2-user-permission-using-matchcallback/

You can also read my previous article on what I think of the Yii / Yii2 load Model method …

http://www.jamesbarnsley.com/site/2015/04/22/yii-loadmodel-method/

All controller parameters should be checked and validated in the bizrule, by the time the parameter reaches the controller method there should no need to have any checking in the controller method at all for the controller parameters.

If the Book does not exist or the Book is not accessible by the current logged in user then that will be handled before any controller method code gets executed in the first place.

There is no reason to have this level of checking in the controller method itself. Doing it the way I have described also keeps the controller more clean as extra code is not needed to check the controller parameters.

Yii 1 to Yii 2 differences and enhancements part 3

As a continuation on from Yii 1 to Yii 2 differences and enhancements part 3 I have noted some more differences between the 2 versions of the Yii framework …

Scopes

In Yii 1 Scopes where defined as arrays. The key of the array was setup as the scope name and the value of the array was the additional piece of code that would be appended to the select query when using the scope.

In Yii 2 Scopes are defined by overriding the find() method inside a model. The overridden find() method returns a new ActiveQuery object which is defined in a separate class.

Essentially the new method uses the components that are already inherent within Yii2 to build the Scope i.e. the ActiveQuery class. The methods of the class become the items in the array in the Yii1 way of doing Scopes. This is a neater way of writing the Scopes than using the old Yii1 method of creating Scopes and with the fact that it is using the inherent functionality of the ActiveQuery class I would presume more powerful.

Authentication rules

A small difference but an extremely powerful one has been the addition of the “matchCallback” option to Yii2’s AccessControl system. In Yii1 to do user permissions a hierarchy of permissions would be setup with bizRules assigned to those permissions. The bixRules where pieces of code that needed to evaluate to true to allow the user to access what permission the user was trying to access. Permissions where assigned to controller actions.

So the application would get the controller action the user was trying to access, the application would then ask does the user have this permission and does this permission evaluate to true. The bizRules where written in code but where then stored in the database along with the rest of the permissions in a set of 3 tables. AuthAssignment, AuthItem and AuthItemChild.

Well you can still do all this with Yii2 but with the introduction of the “matchCallback” option I can skip most of this. I can now assign my bizRule directly to a controller action method. So I can choose not to create a permission hierarchy with all associated bizRules, also using the “matchCallback” allows me to create my own permission system more easily.

Bootstrap components

In Yii2 the components are styled using Bootstrap out of the box also Yii2 has some wrappers for various other Bootstrap components. In Yii1 this functionality was only gained through the use of plugins like YiiStrap and YiiBooster. Now this comes out of the box and is fully integrated as standard. This brings me to my next point below.

Kartik plugin

Yii1 had YiiStrap and YiiBooster. Yii2 has the Kartik plugins, I will not say much about this other than providing a link …

http://demos.krajee.com/

The additional functionality this plugin provides is huge, timepickers, datepickers, enhanced datagrids, enhanced detail views, sliders, tag selectors, menus, icons, labels there is simple too much to name here. The additional value this plugin provides cannot be easily listed here.

This concludes part 3 of Yii 1 to Yii 2 differences and enhancements.