Creating EditUser Page

The EditUser page is very similar to the NewUser. The main difference is that when EditUser is initially requested, the input fields should be initialized with existing user information. Another slight difference is that EditUser can also be accessed by normal users.

To determine which user account is to be editted, we use the following policy:

  • If the current user is an administrator, he can edit any user account by specifying the account's username in a GET variable named 'username'. For example, http://hostname/blog/index.php?page=users.EditUser&username=demo.
  • If the current user is an administrator and the URl does not contain 'username', the administrator himself's data is being updated.
  • If the current user is a normal user, he can only edit his own account information, and he cannot modify his role data.

We create two files protected/pages/users/ and protected/pages/users/EditUser.php to save the page template and page class, respectively.

Creating Page Template

As you may have guessed, the page template EditUser is largely the same as that of NewUser. Besides the difference in page title and the caption of the submit button, there are three main differences.

  • The "username" text box is replaced by a TLabel control because we do not allow modifying username;
  • The validator for the "password" input is removed. This is because if the user does not provide a password during editting, it means the user does not want to change the password.
  • The "role" input is surrounded with TControl whose visibility is toggled according to the role of the currently logged-in user. If the user is not an administrator, the "role" input will not be displayed because normal users are not allowed to modify their roles.

<%@ Title="My Blog - Edit User" %>

<com:TContent ID="Main">

<h1>Edit User</h1>

<com:TLabel ID="Username" />

<com:TTextBox ID="Password" TextMode="Password" />

<span>Re-type Password:</span>
    ErrorMessage="Your password entries did not match."
    Display="Dynamic" />
<com:TTextBox ID="Password2" TextMode="Password" />

<span>Email Address:</span>
    ErrorMessage="Please provide your email address."
    Display="Dynamic" />
    ErrorMessage="You entered an invalid email address."
    Display="Dynamic" />
<com:TTextBox ID="Email" />

<com:TControl Visible="<%= $this->User->IsAdmin %>">
<com:TDropDownList ID="Role">
    <com:TListItem Text="Normal User" Value="0" />
    <com:TListItem Text="Administrator" Value="1" />

<span>First Name:</span>
<com:TTextBox ID="FirstName" />

<span>Last Name:</span>
<com:TTextBox ID="LastName" />

<com:TButton Text="Save" OnClick="saveButtonClicked" />


Creating Page Class

Based on the above description and template, we need to write a page class that initializes the inputs with the existing user information. In addition, the page class also needs to implement the saveButtonClicked() method which is attached to the "save" button's OnClick event.

class EditUser extends TPage
     * Initializes the inputs with existing user data.
     * This method is invoked by the framework when the page is being initialized.
     * @param mixed event parameter
    public function onInit($param)
        if(!$this->IsPostBack)  // if the page is initially requested
            // Retrieves the existing user data. This is equivalent to:
            // $userRecord=$this->getUserRecord();

            // Populates the input controls with the existing user data

     * Saves the user account if all inputs are valid.
     * This method responds to the OnClick event of the "save" button.
     * @param mixed event sender
     * @param mixed event parameter
    public function saveButtonClicked($sender,$param)
        if($this->IsValid)  // when all validations succeed
            // Retrieves the existing user data. This is equivalent to:

            // Fetches the input data
            // update password when the input is not empty
            // update the role if the current user is an administrator

            // saves to the database via Active Record mechanism

            // redirects the browser to the homepage

     * Returns the user data to be editted.
     * @return UserRecord the user data to be editted.
     * @throws THttpException if the user data is not found.
    protected function getUserRecord()
        // the user to be editted is the currently logged-in user
        // if the 'username' GET var is not empty and the current user
        // is an administrator, we use the GET var value instead.
        if($this->User->IsAdmin && $this->Request['username']!==null)

        // use Active Record to look for the specified username
        if(!($userRecord instanceof UserRecord))
            throw new THttpException(500,'Username is invalid.');
        return $userRecord;
Tip: The onInit() method is invoked by PRADO during one of the page lifecycles. Other commonly overriden lifecycle methods include onPreInit(), onLoad() and onPreRender().

Adding Permission Check

To make the EditUser page also accessible by authenticated users (users="@"), we need to adjust the page configuration file protected/pages/users/config.xml accordingly.

<?xml version="1.0" encoding="utf-8"?>
    <allow roles="admin"/>
    <allow users="@" pages="EditUser"/>
    <deny users="*"/>


To test the EditUser page, visit the URL http://hostname/blog/index.php?page=users.EditUser&username=demo. You may be required to login first if you have not done so. Try logging in with different accounts (e.g. admin/demo, demo/demo) and see how the page displays differently.