Why is the access check in CreateAction performed before the data is loaded?

[igorbelikov]

I want to learn about the best solution for rest access check with checkAccess and understand why in CreateAction the access check is done before the validation? Or why is it not executed after the data is loaded into the model?

https://github.com/yiisoft/yii2/blob/master/framework/rest/CreateAction.php#L43

As I understand it, using the example of creating an entity, I need to check that it belongs to the current authorized user and he does not create it for someone else, and without loading data into the model using checkAccess, I do not know what data is loaded into it.

I understand that this method can be overridden for individual logic, but perhaps from a philosophical point of view, I should check this using validation or check access after loading the data into the model?

The same question is for UpdateAction, where the check is performed immediately when the entity is received, but after the change, I can set any model data.

https://github.com/yiisoft/yii2/blob/master/framework/rest/UpdateAction.php#L43

[samdark]

Access check is made before action is executed by design. If you need it later, you can set checkAccess to null and do it manually in the action.

For creating a record, access usually doesn't depend on the model in question. For updating it usually does. That's why the sequence is a bit different.

[WinterSilence]

Action::$checkAccess:

that will be called when running an action to determine if the current user has the permission to execute the action.

yii2/framework/rest/Action.php

Line 48 in e39e744

* @var callable|null a PHP callable that will be called when running an action to determine

i.e. here you check "is user have access to dashboard and this action?" after this, you can check access to model