public function run() { $query = ProjectRole::find(); if ($this->projectId !== null) { $query->byProjectId($this->projectId); } return $query->all(); }
/** @inheritdoc */ protected function beforeModify($data) { $role = ProjectRole::find()->byId($data['role_id'])->one(); $project = $this->project; if ($role->getProjectId() != $project->getId()) { throw new ForbiddenHttpException("Role '{$role->getId()}' doesn't owned by project '{$project->getId()}'."); // todo-rbac } return true; }
/** * @param int $project_id * @param int $role_id * @return ProjectRole * @throws ModelValidateException * @throws NotFoundHttpException * @throws ForbiddenHttpException */ public function actionUpdate($project_id, $role_id) { $project = Project::find()->byId($project_id)->oneOrThrow(); if ($project->getOwnerId() != \Yii::$app->getUser()->getId()) { throw new ForbiddenHttpException(); // todo-rbac } $data = \Yii::$app->getRequest()->post(); $role = ProjectRole::find()->byId($role_id)->oneOrThrow(); if ($project->getId() != $role->getProjectId()) { throw new ForbiddenHttpException(); } if ($role->modify($data)) { return $role; } else { throw new ModelValidateException($role); } }