/** * @param int $project_id * @param int $group_id * @return TicketGroup * @throws ModelValidateException * @throws NotFoundHttpException * @throws ForbiddenHttpException */ public function actionUpdate($project_id, $group_id) { $project = Project::find()->byId($project_id)->oneOrThrow(); if ($project->getOwnerId() != \Yii::$app->getUser()->getId()) { throw new ForbiddenHttpException(); // todo-rbac } $data = \Yii::$app->getRequest()->post(); $role = TicketGroup::find()->byId($group_id)->oneOrThrow(); if ($project->getId() != $role->getProjectId()) { throw new ForbiddenHttpException(); } if ($role->modify($data)) { return $role; } else { throw new ModelValidateException($role); } }