Versions
Look up a class, method, property or event

CAccessRule

Package system.web.auth
Inheritance class CAccessRule » CComponent
Since 1.0
Source Code framework/web/auth/CAccessControlFilter.php
CAccessRule represents an access rule that is managed by CAccessControlFilter.

Public Properties

Hide inherited properties

PropertyTypeDescriptionDefined By
actions array list of action IDs that this rule applies to. CAccessRule
allow boolean whether this is an 'allow' rule or 'deny' rule. CAccessRule
controllers array list of controller IDs that this rule applies to. CAccessRule
deniedCallback mixed the denied method callback that will be called once the access is denied. CAccessRule
expression string a PHP expression whose value indicates whether this rule should be applied. CAccessRule
ips array IP patterns. CAccessRule
message string the error message to be displayed when authorization is denied by this rule. CAccessRule
roles array list of roles this rule applies to. CAccessRule
users array list of user names that this rule applies to. CAccessRule
verbs array list of request types (e. CAccessRule

Public Methods

Hide inherited methods

MethodDescriptionDefined By
__call() Calls the named method which is not a class method. CComponent
__get() Returns a property value, an event handler list or a behavior based on its name. CComponent
__isset() Checks if a property value is null. CComponent
__set() Sets value of a component property. CComponent
__unset() Sets a component property to be null. CComponent
asa() Returns the named behavior object. CComponent
attachBehavior() Attaches a behavior to this component. CComponent
attachBehaviors() Attaches a list of behaviors to the component. CComponent
attachEventHandler() Attaches an event handler to an event. CComponent
canGetProperty() Determines whether a property can be read. CComponent
canSetProperty() Determines whether a property can be set. CComponent
detachBehavior() Detaches a behavior from the component. CComponent
detachBehaviors() Detaches all behaviors from the component. CComponent
detachEventHandler() Detaches an existing event handler. CComponent
disableBehavior() Disables an attached behavior. CComponent
disableBehaviors() Disables all behaviors attached to this component. CComponent
enableBehavior() Enables an attached behavior. CComponent
enableBehaviors() Enables all behaviors attached to this component. CComponent
evaluateExpression() Evaluates a PHP expression or callback under the context of this component. CComponent
getEventHandlers() Returns the list of attached event handlers for an event. CComponent
hasEvent() Determines whether an event is defined. CComponent
hasEventHandler() Checks whether the named event has attached handlers. CComponent
hasProperty() Determines whether a property is defined. CComponent
isUserAllowed() Checks whether the Web user is allowed to perform the specified action. CAccessRule
raiseEvent() Raises an event. CComponent

Protected Methods

Hide inherited methods

MethodDescriptionDefined By
isActionMatched() CAccessRule
isControllerMatched() CAccessRule
isExpressionMatched() CAccessRule
isIpMatched() CAccessRule
isRoleMatched() CAccessRule
isUserMatched() CAccessRule
isVerbMatched() CAccessRule

Property Details

actions property
public array $actions;

list of action IDs that this rule applies to. The comparison is case-insensitive. If no actions are specified, rule applies to all actions.

allow property
public boolean $allow;

whether this is an 'allow' rule or 'deny' rule.

controllers property
public array $controllers;

list of controller IDs that this rule applies to. The comparison is case-insensitive.

deniedCallback property (available since v1.1.11)
public mixed $deniedCallback;

the denied method callback that will be called once the access is denied. It replaces the behavior that shows an error message. It can be a valid PHP callback including class method name (array(ClassName/Object, MethodName)), or anonymous function (PHP 5.3.0+). For more information, on different options, check

expression property
public string $expression;

a PHP expression whose value indicates whether this rule should be applied. In this expression, you can use $user which refers to Yii::app()->user. The expression can also be a valid PHP callback, including class method name (array(ClassName/Object, MethodName)), or anonymous function (PHP 5.3.0+). The function/method signature should be as follows:

function foo($user, $rule) { ... }
where $user is the current application user object and $rule is this access rule.

The PHP expression will be evaluated using evaluateExpression.

A PHP expression can be any PHP code that has a value. To learn more about what an expression is, please refer to the php manual.

ips property
public array $ips;

IP patterns.

message property (available since v1.1.1)
public string $message;

the error message to be displayed when authorization is denied by this rule. If not set, a default error message will be displayed.

roles property
public array $roles;

list of roles this rule applies to. For each role, the current user's CWebUser::checkAccess method will be invoked. If one of the invocations returns true, the rule will be applied. Note, you should mainly use roles in an "allow" rule because by definition, a role represents a permission collection.

See Also

users property
public array $users;

list of user names that this rule applies to. The comparison is case-insensitive. If no user names are specified, rule applies to all users.

verbs property
public array $verbs;

list of request types (e.g. GET, POST) that this rule applies to.

Method Details

isActionMatched() method
protected boolean isActionMatched(CAction $action)
$action CAction the action
{return} boolean whether the rule applies to the action
Source Code: framework/web/auth/CAccessControlFilter.php#298 (show)
protected function isActionMatched($action)
{
    return empty(
$this->actions) || in_array(strtolower($action->getId()),$this->actions);
}

isControllerMatched() method
protected boolean isControllerMatched(CController $controller)
$controller CController the controller
{return} boolean whether the rule applies to the controller
Source Code: framework/web/auth/CAccessControlFilter.php#307 (show)
protected function isControllerMatched($controller)
{
    return empty(
$this->controllers) || in_array(strtolower($controller->getUniqueId()),$this->controllers);
}

isExpressionMatched() method
protected boolean isExpressionMatched(IWebUser $user)
$user IWebUser the user
{return} boolean the expression value. True if the expression is not specified.
Source Code: framework/web/auth/CAccessControlFilter.php#387 (show)
protected function isExpressionMatched($user)
{
    if(
$this->expression===null)
        return 
true;
    else
        return 
$this->evaluateExpression($this->expression, array('user'=>$user));
}

isIpMatched() method
protected boolean isIpMatched(string $ip)
$ip string the IP address
{return} boolean whether the rule applies to the IP address
Source Code: framework/web/auth/CAccessControlFilter.php#362 (show)
protected function isIpMatched($ip)
{
    if(empty(
$this->ips))
        return 
true;
    foreach(
$this->ips as $rule)
    {
        if(
$rule==='*' || $rule===$ip || (($pos=strpos($rule,'*'))!==false && !strncmp($ip,$rule,$pos)))
            return 
true;
    }
    return 
false;
}

isRoleMatched() method
protected boolean isRoleMatched(IWebUser $user)
$user IWebUser the user object
{return} boolean whether the rule applies to the role
Source Code: framework/web/auth/CAccessControlFilter.php#338 (show)
protected function isRoleMatched($user)
{
    if(empty(
$this->roles))
        return 
true;
    foreach(
$this->roles as $key=>$role)
    {
        if(
is_numeric($key))
        {
            if(
$user->checkAccess($role))
                return 
true;
        }
        else
        {
            if(
$user->checkAccess($key,$role))
                return 
true;
        }
    }
    return 
false;
}

isUserAllowed() method
public integer isUserAllowed(CWebUser $user, CController $controller, CAction $action, string $ip, string $verb)
$user CWebUser the user object
$controller CController the controller currently being executed
$action CAction the action to be performed
$ip string the request IP address
$verb string the request verb (GET, POST, etc.)
{return} integer 1 if the user is allowed, -1 if the user is denied, 0 if the rule does not apply to the user
Source Code: framework/web/auth/CAccessControlFilter.php#280 (show)
public function isUserAllowed($user,$controller,$action,$ip,$verb)
{
    if(
$this->isActionMatched($action)
        && 
$this->isUserMatched($user)
        && 
$this->isRoleMatched($user)
        && 
$this->isIpMatched($ip)
        && 
$this->isVerbMatched($verb)
        && 
$this->isControllerMatched($controller)
        && 
$this->isExpressionMatched($user))
        return 
$this->allow : -1;
    else
        return 
0;
}

Checks whether the Web user is allowed to perform the specified action.

isUserMatched() method
protected boolean isUserMatched(IWebUser $user)
$user IWebUser the user
{return} boolean whether the rule applies to the user
Source Code: framework/web/auth/CAccessControlFilter.php#316 (show)
protected function isUserMatched($user)
{
    if(empty(
$this->users))
        return 
true;
    foreach(
$this->users as $u)
    {
        if(
$u==='*')
            return 
true;
        elseif(
$u==='?' && $user->getIsGuest())
            return 
true;
        elseif(
$u==='@' && !$user->getIsGuest())
            return 
true;
        elseif(!
strcasecmp($u,$user->getName()))
            return 
true;
    }
    return 
false;
}

isVerbMatched() method
protected boolean isVerbMatched(string $verb)
$verb string the request method
{return} boolean whether the rule applies to the request
Source Code: framework/web/auth/CAccessControlFilter.php#378 (show)
protected function isVerbMatched($verb)
{
    return empty(
$this->verbs) || in_array(strtolower($verb),$this->verbs);
}

Total 2 comments

#4175 report it
Steve Friedl at 2011/06/12 11:04pm
Missing "actions" mean all actions included

If the 'actions' => array(...) clause is omitted, then ALL actions are included by the rule.

And remember that actions are separate strings:

array('create', 'index', 'view')   // YES
array('create, index, view')       // NO
#1976 report it
Mike (UK) at 2010/10/23 01:20pm
Expression example

A rule with an expressions has the form

array('allow', // control access to 'admin' and 'delete' actions
    'actions'=>array('admin','delete'),
    'expression' => array($this, 'isAdministrator'),
),

The function then has the form:

/**
 *  Function to control access
 * @param CWebUser current user obj
 * @param CAccessRule access rule obj
 */
function isAdministrator($user, $rule)
 { 
    if($user->name == 'admin')
        return true;
    else
        return false;
 }

Leave a comment

Please to leave your comment.