Yii Framework Forum: Restrict access to views for logged users - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Restrict access to views for logged users Rate Topic: -----

#1 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 21 September 2010 - 06:14 PM

Hi

I am quite new to yii - after messing with kohana, ci, symphony, yii seems most logical. I am writing some application that uses crud operations on db tables - just simple as tutorial.

But I haven't found how to restrict properly access to views where user is guest.

I managed to apply login against database users, so that is nice. And this is how I am trying to achieve that.

Let assume I have model mA which has view vA. When I run URL of my app I can see only LOGIN link with login screen (the very same as in testdrive app of yii), when user logs in, there are morel links to views of all models especially of model mA. Also logged user has the link LOGOUT(currentUser). When user clicks on LOGOUT he is moved to login screen and becomes guest again. But when user enters in URL: _http://yii/myapp/index.php?r=mA (view of model A) the page of model A with all the data is displayed, but THIS NOT WHAT I WANT.

So I put in main config this line:

'homeUrl'=>array('site/login'),


which points to login screen.

And in the _http://yii/myapp/protected/views/site/index.php I put:

// IF NOT LOGGED IN, GO TO LOGIN SCREEN
if(Yii::app()->user->isGuest)
{
$this->redirect(Yii::app()->homeUrl);
// IF NOT LOGGED IN, GO TO LOGIN SCREEN
}


So when I launch URL of the app it moves me to the login screen if user is guest. However I can manually go to views of all models, by launching URL's. Do I have to enter the above code in every view of every model? For example in admin.php, create.php, index.php, update.php, view.php, to restrict access to them for authenticated users? Or is there any global function to do it?

Thanks in advance,
Tom
0

#2 User is offline   tri 

  • Elite Member
  • Yii
  • Group: Moderators
  • Posts: 1,651
  • Joined: 20-November 08
  • Location:Stockholm, Sweden

Posted 21 September 2010 - 06:33 PM

View Postpc131, on 21 September 2010 - 06:14 PM, said:

...
But I haven't found how to restrict properly access to views where user is guest.
...
is there any global function to do it?
...


See the section Access Control Filter on this page
http://www.yiiframew...ide/topics.auth

/Tommy
Don't forget to read The Definitive Guide to Yii (en) (sv) | The class reference has the details
0

#3 User is offline   kael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 140
  • Joined: 13-September 10
  • Location:静岡、 静岡、 日本 と フィリピン

Posted 22 September 2010 - 01:55 AM

View Postpc131, on 21 September 2010 - 06:14 PM, said:

Hi

I am quite new to yii - after messing with kohana, ci, symphony, yii seems most logical. I am writing some application that uses crud operations on db tables - just simple as tutorial.

But I haven't found how to restrict properly access to views where user is guest.

I managed to apply login against database users, so that is nice. And this is how I am trying to achieve that.

Let assume I have model mA which has view vA. When I run URL of my app I can see only LOGIN link with login screen (the very same as in testdrive app of yii), when user logs in, there are morel links to views of all models especially of model mA. Also logged user has the link LOGOUT(currentUser). When user clicks on LOGOUT he is moved to login screen and becomes guest again. But when user enters in URL: _http://yii/myapp/index.php?r=mA (view of model A) the page of model A with all the data is displayed, but THIS NOT WHAT I WANT.

So I put in main config this line:

'homeUrl'=>array('site/login'),


which points to login screen.

And in the _http://yii/myapp/protected/views/site/index.php I put:

// IF NOT LOGGED IN, GO TO LOGIN SCREEN
if(Yii::app()->user->isGuest)
{
$this->redirect(Yii::app()->homeUrl);
// IF NOT LOGGED IN, GO TO LOGIN SCREEN
}


So when I launch URL of the app it moves me to the login screen if user is guest. However I can manually go to views of all models, by launching URL's. Do I have to enter the above code in every view of every model? For example in admin.php, create.php, index.php, update.php, view.php, to restrict access to them for authenticated users? Or is there any global function to do it?

Thanks in advance,
Tom


you can find it in your controller [whatever controller you wish to use if u have multiple controllers. ]

its in the public function accessRules. you can change this:
public function accessRules()
	{
		return array(
			array('allow',  // allow all users to perform 'list' and 'show' actions
				'actions'=>array('list','show', 'asx','dibs'),
				'users'=>array('*'),
			),
			array('allow', // allow authenticated user to perform 'create' and 'update' actions
				'actions'=>array('create','update'),
				'users'=>array('@'),
			),
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('admin','delete'),
				'users'=>array('admin'),
			),
			array('deny',  // deny all users
				'users'=>array('*'),
			),
		);
	}




to this

public function accessRules()
	{
		return array(
			array('allow',  // allow all users to perform 'list' and 'show' actions
				'actions'=>array('list','show', 'asx','dibs'),
				'users'=>array('admin'),
			),
			array('allow', // allow authenticated user to perform 'create' and 'update' actions
				'actions'=>array('create','update'),
				'users'=>array('admin'),
			),
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('admin','delete'),
				'users'=>array('admin'),
			),
			array('deny',  // deny all users
				'users'=>array('*'),
			),
		);
	}






whichever way you like ;)
0

#4 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 22 September 2010 - 01:57 AM

Thank You! That is also why I like yii - nice forum responses :)
0

#5 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 22 September 2010 - 02:40 AM

To deny anonymous users to display view of model A, I put in controller yii/myapp/protected/controllers/A_Controller.php something like this:

public function accessRules()
{
array('deny',  // deny anonymous users
'users'=>array('?'),
}


And I put this in every controller that I want to restrict access to.

How about main index page which loads when I launch main URL of application?

I tried to put the same code in yii/myapp/protected/controllers/SiteController.php but it doesn't work... any clues where to put this code?

================

Ok when I added these lines:

<?php

class SiteController extends Controller
{

	/**
	 * @return array action filters
	 */
	public function filters()
	{
		return array(
			'accessControl', // perform access control for CRUD operations
		);
	}

	/**
	 * Specifies the access control rules.
	 * This method is used by the 'accessControl' filter.
	 * @return array access control rules
	 */
	public function accessRules()
	{
		return array(
			array('deny',  // deny anonymous users
				'users'=>array('?'),
			),
		);
	}
....

...

.
.
.
.



Firefox couldn't open the page with strange info:

Posted Image

Which translates:

Incorrect redirection

Firefox found that server redirects request in a way that doesn't allow to comply it.

* This problem can arise when blocking cookies.
0

#6 User is offline   zaccaria 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 2,232
  • Joined: 04-October 09
  • Location:Moscow

Posted 22 September 2010 - 02:48 AM

You should implement the action filters

	/**
	 * @return array action filters
	 */
	public function filters()
	{
		return array(
			'accessControl', // perform access control for CRUD operations
		);
	}


In order to explain the controller to take in consideration the rules.

Also remember that you cannot restrict the action login, and if you restrict the index, make sure that the index will be the default page for not logged users.
0

#7 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 22 September 2010 - 02:56 AM

Hi zaccaria please look at my post above. I implemented filters() function to tell controller to apply access rules but then firefox couldn't open the page.

How to make index default page for not logged users?

==================

OK - I managed to do that in actionIndex() method of SiteController.php:

public function actionIndex()
{
// renders the view file 'protected/views/site/index.php'
// using the default layout 'protected/views/layouts/main.php'

    
if(Yii::app()->user->isGuest)
    {
    // IF NOT LOGGED IN, GO TO LOGIN SCREEN
    $this->redirect(Yii::app()->homeUrl);
    // IF NOT LOGGED IN, GO TO LOGIN SCREEN
    }
else
    {
    $this->render('index');
    }
}


where homeUrl is defined as site/login in main.php config file. It works - anonymous users when call home URL get to login screen, but I don't know if it is written in good yii/mvc manner...

Any suggestions appreciated.
0

#8 User is offline   kael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 140
  • Joined: 13-September 10
  • Location:静岡、 静岡、 日本 と フィリピン

Posted 22 September 2010 - 03:50 AM

View Postpc131, on 22 September 2010 - 01:57 AM, said:

Thank You! That is also why I like yii - nice forum responses :)



you're welcome.. glad to be of help..

anyway.. just want to share my case, i just filled up the ideal accessRules so that it won't be a hassle anymore... like this:

public function accessRules()
	{
		return array(
			array('allow',  // allow all users to perform 'list' and 'show' actions
				'actions'=>array('list','show', 'asx','dibs'),
				'users'=>array('*'),
			),
			array('allow', // allow authenticated user to perform 'create' and 'update' actions
				'actions'=>array('create','update'),
				'users'=>array('admin'),
			),
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('admin','delete'),
				'users'=>array('admin'),
			),
			array('deny',  // deny all users
				'users'=>array('*'),
			),
		);
	}


i just added that so everyone can see but only the admin can manage the data.. plus i got an admin section in my webapp so it's no big deal..

anyway, if you want log in to show up when users are not logged in, just put this

if(Yii::app()->user->isGuest)
	$this->redirect(Yii::app()->homeUrl.'?r=site/login'); 



if(!Yii::app()->user->isGuest)
	$this->redirect(Yii::app()->homeUrl.'?r=event');
	

[quote] r?=event is my primary model, you can change it to just $this->redirect(Yii::app()->homeUrl);
if you want it to just redirect to the homepage. :)[/quote]
on the index.php of your views, and don't change the homeUrl in your conig. just let it be as it was from default
0

#9 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 22 September 2010 - 04:43 AM

View Postkael, on 22 September 2010 - 03:50 AM, said:

you're welcome.. glad to be of help..

anyway.. just want to share my case, i just filled up the ideal accessRules so that it won't be a hassle anymore... like this:

public function accessRules()
	{
		return array(
			array('allow',  // allow all users to perform 'list' and 'show' actions
				'actions'=>array('list','show', 'asx','dibs'),
				'users'=>array('*'),
			),
			array('allow', // allow authenticated user to perform 'create' and 'update' actions
				'actions'=>array('create','update'),
				'users'=>array('admin'),
			),
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('admin','delete'),
				'users'=>array('admin'),
			),
			array('deny',  // deny all users
				'users'=>array('*'),
			),
		);
	}


i just added that so everyone can see but only the admin can manage the data.. plus i got an admin section in my webapp so it's no big deal..

anyway, if you want log in to show up when users are not logged in, just put this

if(Yii::app()->user->isGuest)
	$this->redirect(Yii::app()->homeUrl.'?r=site/login'); 



if(!Yii::app()->user->isGuest)
	$this->redirect(Yii::app()->homeUrl.'?r=event');
	


on the index.php of your views, and don't change the homeUrl in your config. just let it be as it was from default


What are these actions 'list','show', 'asx','dibs'?

public function accessRules()
{
return array(
     array('allow',  // allow all users to perform 'list' and 'show' actions
     'actions'=>array('list','show', 'asx','dibs'),
     'users'=>array('*'),
      ),
);
}


I know standard create, update, delete, admin, but these above are your own written?
0

#10 User is offline   kael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 140
  • Joined: 13-September 10
  • Location:静岡、 静岡、 日本 と フィリピン

Posted 22 September 2010 - 04:56 AM

oh sorry..list, asx and dibs are custom controls... you just have to meddle with the view and show stuff.
0

#11 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 22 September 2010 - 05:32 AM

view and show or list and show?

and these methods are? I couldnt' find explanation in yii website of these actions - it means displaying the view of model and showing it....??
0

#12 User is offline   kael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 140
  • Joined: 13-September 10
  • Location:静岡、 静岡、 日本 と フィリピン

Posted 22 September 2010 - 05:38 AM

View Postpc131, on 22 September 2010 - 05:32 AM, said:

view and show or list and show?

and these methods are? I couldnt' find explanation in yii website of these actions - it means displaying the view of model and showing it....??



just the default ones..

this i think?

array('allow',  // allow all users to perform 'index' and 'view' actions
				'actions'=>array('index','view'),
				'users'=>array('*'),



change the * to admin
0

#13 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 22 September 2010 - 05:44 AM

OK thanks a lot ;-)
0

#14 User is offline   kael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 140
  • Joined: 13-September 10
  • Location:静岡、 静岡、 日本 と フィリピン

Posted 22 September 2010 - 05:46 AM

View Postpc131, on 22 September 2010 - 05:44 AM, said:

OK thanks a lot ;-)


hope it helps :D
0

#15 User is offline   pc131 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 133
  • Joined: 28-July 10
  • Location:Warsaw, Poland

Posted 22 September 2010 - 05:52 AM

Well, yii helps so much writing database-driven app and so on that I started to rewrite app after a year when I suspended it, because I was writing sql in the view :lol: to be true I had only view, no controller and model, because all MVC was in the view :rolleyes: thanks again!
0

#16 User is offline   kael 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 140
  • Joined: 13-September 10
  • Location:静岡、 静岡、 日本 と フィリピン

Posted 22 September 2010 - 07:49 PM

View Postpc131, on 22 September 2010 - 05:52 AM, said:

Well, yii helps so much writing database-driven app and so on that I started to rewrite app after a year when I suspended it, because I was writing sql in the view :lol: to be true I had only view, no controller and model, because all MVC was in the view :rolleyes: thanks again!



hahaha.. yeah.. i was just like that a few weeks ago..i just started yii myself. ;) and i'm having my own set of problems too.. :D it's good to have a forum section here so people can exchange infos. :D
0

#17 User is offline   ekscrypto 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 1
  • Joined: 17-March 13

Posted 17 March 2013 - 05:28 PM

I'm quite new to Yii too; but since a google search for "Yii restrict access" still points here, I thought I would add my solution to this problem.

Out of rather large site, I only have a handful of controllers that should be accessible by guest, in my case, "Site" and one we use to manage a product we sell. All the other controllers for managing our accounts, invoices and our many databases should all be locked up tight and only logged in user should have access. That's a lot of controllers to manually lock down. So, instead of having access rules defined in each controller (and risking forgetting some rules), I created a components called SecuredController that extends Controller.

In its init() function, I simply check if the user is a guest, and if it is, I redirect the user to the login page.

Now, for every controller that a guest user should not be accessing at all, I simply make sure those controllers are extending the SecuredController instead of Controller. As those controllers are instantiated and initialized they will automatically redirect the user if he is a guest. No need for access rules.

As they say, simpler is better, and if I can avoid having to maintain access rules, that's a good thing in my books.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users