Edit own security check for a model

How can I implement an “edit only entities created by the connected admin user” ?
Actually I have a created_by_user_id attribute that is auto set to the current user id on create and I would like the current user to have the edit button (in the CRUD list) only when the model is created by him…

We had a similar feature request in the past. This does not work yet, but i think we should add that. I am not sure what the best solution could be. Maybe the solution proposed regarding deleting is a good idea, please take a look at this and let me know if this would work out for you too:

What you can do for sure is to check the permission to edit:


The referenced issue is similar to what I need indeed.
I made a work arround for my case that might be a solution. The idea is to add an ng-if with the condition to display the edit and update buttons.

I created a new RenderCrud class hacking the getButtons() method to inject my ng-if inside the ng-click so that I do not alter the view file crud.php

namespace app\modules\jobs\admin\render;

class RenderCrud extends \luya\admin\ngrest\render\RenderCrud

    private $_buttons;

    public function getButtons()
        // if already assigned return the resutl
        if ($this->_buttons) {
            return $this->_buttons;

        $buttons = [];

        // loop over the parent getButtons() and add an ng-if with proper condition        
        foreach (parent::getButtons()as $button) {
            if ( in_array($button['icon'], ['delete', 'mode_edit']) ) {
                $button['ngClick'] .= '" ng-if="item.created_user_id==\''. sprintf('%s %s', \Yii::$app->adminuser->identity->firstname, \Yii::$app->adminuser->identity->lastname). '\'';       
            $buttons[] = $button;

        $this->_buttons = $buttons;
        return $buttons;


Ideally we might have an showDeleteButtonCondition() methond that will implement the condition and set as follows in the RenderCrud :

// in the model

public function showDeleteButtonCondition(){
    return 'item.created_user_id=='. \Yii::$app->adminuser->identity->id;

In the RenderCrud getButtons() :

        // check if deletable is enabled
        if ($this->config->isDeletable() && $this->can(Auth::CAN_DELETE)) {
            $buttons[] = [
                'ngClick' => 'deleteItem('.$this->getCompositionKeysForButtonActions('item').')',
                'ngIf' => $this->getModel()->showDeleteButtonCondition() ,
                'icon' => 'delete',
                'label' => '',

In the crud.php

    <?php foreach ($this->context->getButtons() as $item): ?>
          <button type="button" class="crud-buttons-button" ng-click="<?= $item['ngClick']; ?>"  ng-if="<?= $item['ngIf']; ?>">

Hey @rochdi, this is a great solution indeed! It should also not be to complicate to integrate, maybe we could add a syntax like this in the the ngRestScope definitions:

public function ngRestScopes()
    return [
      ['update', ['field1', 'field2', 'field3'], ['buttonCondition' => ['{created_by}' => Yii::$app->adminuser->id]]

which would be similar to: https://github.com/luyadev/luya-module-admin/blob/master/src/ngrest/base/Plugin.php#L100-L100

What do you think? If this would be a good solution and fix your issue, please create an issue. Thanks for your feedback.

Hi @nadar, I’ve implemented a solution and I want to create a pull request for review… Shall I reopen the above mentionned issue or create a new one ?

You can just send the pull request and maybe reference to the issue. That’s perfect