Yii / Yii2 checking controller params at the access control level

One of the areas I notice in a lot of Yii / Yii 2 web applications is the checking of parameter variables in what I consider the wrong areas.

Here is an example of one of my controller methods for saving a Book …

So what stands out about this method? No load Model method? No checking to see whether the Book has a valid ID? How will we know whether the Book has a valid ID, how will we know whether the Book is suppose to be accessed by the particular user that is logged into the system?

The answer is, the access rules and bizrules of the web software application. All controller methods should be assigned to an access rule. If the controller method contains parameters then the controller method should be assigned to an access rule as well as a bizrule.

For smaller / less complex applications you can actually emulate the bizrule by using “matchCallback” which is spoken about in this article I wrote previously …

http://www.jamesbarnsley.com/site/2017/06/13/yii-2-user-permission-using-matchcallback/

You can also read my previous article on what I think of the Yii / Yii2 load Model method …

http://www.jamesbarnsley.com/site/2015/04/22/yii-loadmodel-method/

All controller parameters should be checked and validated in the bizrule, by the time the parameter reaches the controller method there should no need to have any checking in the controller method at all for the controller parameters.

If the Book does not exist or the Book is not accessible by the current logged in user then that will be handled before any controller method code gets executed in the first place.

There is no reason to have this level of checking in the controller method itself. Doing it the way I have described also keeps the controller more clean as extra code is not needed to check the controller parameters.

I use Balsamiq Mockups

Balsamiq Mockups is a software program to enable people to mock-up user interface designs. The program is simple to use and all a user has to do is drag and drop generic components onto the white screen area and build the user interface from these generic components.

https://balsamiq.com

There are plenty of components to choose from ranging from forms, datagrids, tables, tabs to navigation bars for designing web based software interfaces the program is perfect.

For doing mockups of websites it is also useful as well but obviously cannot cover in depth “design” in terms of fancy graphics as to mockup fancy graphics the graphic designer would have to do the work of drawing the fancy graphics themselves which is essentially doing the work and is not really a mockup.

For a website you can say this is the header, these are some links, here is a navigation bar to the left etc. It is a mock-up.

Balsamiq Mockups will be used by me in the Roadmap and GUI Design stages. I can now easily mock-up the user interface of the web based software system at the initial stages. Giving the client an idea of what the software will look like and how it will function.

This is also useful for early recognition of problems and getting it right the first time without having to change GUI elements around later when that could prove more costly.