Yii Framework Forum: Error 403 : You are not authorized to per-form this action. - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Error 403 : You are not authorized to per-form this action.

#1 User is offline   Rahul Kumar 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 29-January 11

Posted 06 February 2011 - 03:20 AM

Hello Folks,

Please help me out. I am stuck in Chapter 8.

I executed rbac command successfully for Authorization hierarchy.

When I click on 'Add user to Project'. It says

Error 403
You are not authorized to per-form this action.

I don't know what is happening.

Help me out.

Attached File(s)


0

#2 User is offline   rinat.io 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 56
  • Joined: 20-January 11

Posted 06 February 2011 - 06:01 AM

May be you must be an admin for creating user, but you just login as user? Can you show your accessRules() for this controller?
1

#3 User is offline   AmeL 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 8
  • Joined: 02-February 11

Posted 07 February 2011 - 10:34 AM

View PostRahul Kumar, on 06 February 2011 - 03:20 AM, said:

Hello Folks,

Please help me out. I am stuck in Chapter 8.

I executed rbac command successfully for Authorization hierarchy.

When I click on 'Add user to Project'. It says

Error 403
You are not authorized to per-form this action.

I don't know what is happening.

Help me out.


Two things need to check:

1- Make sure that your accessRules() has allowed adduser action to & (signed in), and IT IS ON TOP OF ALL OTHER RULES OR AT LEAST JUST PUT IT ON TOP OF THE DENY ALL RULE. Don't get me wrong, it is not required to be always on top of all other rules, but the default last rule in the book is to deny *, so if you put your adduser rule below it, you won't have a chance to access action adduser.

	public function accessRules()
	{
		return array(
			array('allow',
						'actions' => array('index', 'view', 'adduser'),
						'users' => array('@')
			),
						
			array('allow', // allow authenticated user to perform 'create' and 'update' actions
				'actions'=>array('create','update'),
				'users'=>array('@'),
			),
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('admin','delete'),
				'users'=>array('admin'),
			),
			array('deny',  // deny all users
				'users'=>array('*'),
			),
		);
	}


2- If you have correctly updated your accessRules(), you need to check to make sure your account you're using to sign in, is the user who has access to the operation 'create new user'. This operation is obviously in task user management, and assigned to role owner. So the user must be the owner of the project you're currently browse. Go selecting from your database to make sure on that.

In my case, I don't know what going on, I stuck at this point (hope you don't), while my database shows Test_User_One is the owner of the project, my accessRules is correctly set, but this god damn Yii::app()->checkAccess() always returns FALSE.

Your printed screen looks like you put this link: Add User To Project in wrong place, so you might also look into this file ....\trackstar\protected\views\project\view.php and add it as the vertical menu item as below:
......
......
$this->menu=array(
	array('label'=>'List Project', 'url'=>array('index')),
	array('label'=>'Create Project', 'url'=>array('create')),
	array('label'=>'Update Project', 'url'=>array('update', 'id'=>$model->id)),
	array('label'=>'Delete Project', 'url'=>'#', 'linkOptions'=>array('submit'=>array('delete','id'=>$model->id),'confirm'=>'Are you sure you want to delete this item?')),
	array('label'=>'Manage Project', 'url'=>array('admin')),
	array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),
	array('label'=>'Add User To Project','url'=>array('adduser','id'=>$model->id)),
);
......
......

0

#4 User is offline   Rahul Kumar 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 29-January 11

Posted 07 February 2011 - 10:43 AM

this is my accessrule :

public function accessRules()
{
return array(
array('allow', //allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view','adduser'),
'users'=>array('@'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create','update'),
'users'=>array('@'),
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete'),
'users'=>array('@'),
),
array('deny', // deny all users
'users'=>array('*'),
),
);
}


I have done some experiment. now my all users are able to perform admin and delete task.
0

#5 User is offline   AmeL 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 8
  • Joined: 02-February 11

Posted 07 February 2011 - 10:51 AM

View PostRahul Kumar, on 07 February 2011 - 10:43 AM, said:

this is my accessrule :

public function accessRules()
{
return array(
array('allow', //allow all users to perform 'index' and 'view' actions
'actions'=>array('index','view','adduser'),
'users'=>array('@'),
),
array('allow', // allow authenticated user to perform 'create' and 'update' actions
'actions'=>array('create','update'),
'users'=>array('@'),
),
array('allow', // allow admin user to perform 'admin' and 'delete' actions
'actions'=>array('admin','delete'),
'users'=>array('@'),
),
array('deny', // deny all users
'users'=>array('*'),
),
);
}


I have done some experiment. now my all users are able to perform admin and delete task.


Good news!,
so how about assigning Test_User_One to owner, and Test_User_Two to member of project 1, and back again follow the book and test whether you could see link Add User To Project, and if you do, then you could access that page with Test_User_One or Test_User_Two?
0

#6 User is offline   Rahul Kumar 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 29-January 11

Posted 07 February 2011 - 10:55 AM

yeah I assigned perfectly owner role to one user, and one user as member.

Now member is not able to see Add user to Role link.

But the problem is everyone can manage the project

How to restrict members and readers?
0

#7 User is offline   AmeL 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 8
  • Joined: 02-February 11

Posted 07 February 2011 - 11:00 AM

They don't see the link, it does not mean, they can not access that managing project page, so make sure you insert your check in every pages to prevent reader from member page, and to prevent member from owner page.
This is an example to restrict members and readers from gaining access to Add User To Project page.
public function actionAdduser($id)
{	
$project = $this->loadModel($id);
		
		/*
		if(!$project->isUserInRole('owner'))
		{
			throw new CHttpException(403,'Damn You!, you are not authorized to perform this action.');
		}
		*/
		
		if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))
		{
			throw new CHttpException(403,"Damn You!, you are not authorized to perform this action.");
		}
...............................
...............................


In my case, this won't work since my checkAccess() always returned FALSE, but other confirmed that works. But my commented code works smoothly.
1

#8 User is offline   Rahul Kumar 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 29-January 11

Posted 07 February 2011 - 11:05 AM

I have same code, but still now working.


public function actionAdduser()
{
$form=new ProjectUserForm;
$project = $this->loadModel();
if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))
{
throw new CHttpException(403,'You are not authorized to per-form this action.');
}
// collect user input data
if(isset($_POST['ProjectUserForm']))
{
$form->attributes=$_POST['ProjectUserForm'];
$form->project = $project;
// validate user input and set a sucessfull flassh message if valid
if($form->validate())
{
Yii::app()->user->setFlash('success',$form->username . " has been added to the project." );
$form=new ProjectUserForm;
}
}
// display the add user form
$users = User::model()->findAll();
$usernames=array();
foreach($users as $user)
{
$usernames[]=$user->username;
}
$form->project = $project;
$this->render('adduser',array('model'=>$form, 'usernames'=>$usernames));
}
0

#9 User is offline   AmeL 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 8
  • Joined: 02-February 11

Posted 07 February 2011 - 11:15 AM

View PostRahul Kumar, on 07 February 2011 - 11:05 AM, said:

I have same code, but still now working.


public function actionAdduser()
{
$form=new ProjectUserForm;
$project = $this->loadModel();
if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))
{
throw new CHttpException(403,'You are not authorized to per-form this action.');
}
// collect user input data
if(isset($_POST['ProjectUserForm']))
{
$form->attributes=$_POST['ProjectUserForm'];
$form->project = $project;
// validate user input and set a sucessfull flassh message if valid
if($form->validate())
{
Yii::app()->user->setFlash('success',$form->username . " has been added to the project." );
$form=new ProjectUserForm;
}
}
// display the add user form
$users = User::model()->findAll();
$usernames=array();
foreach($users as $user)
{
$usernames[]=$user->username;
}
$form->project = $project;
$this->render('adduser',array('model'=>$form, 'usernames'=>$usernames));
}

how about your loadModel() looks like? mine is loadModel($id).
I am using Yii 1.1.6 r2877, and how about you?
0

#10 User is offline   Rahul Kumar 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 29-January 11

Posted 07 February 2011 - 12:08 PM

I have same version.

added loadmodel($id) also. still not working.
0

#11 User is offline   iansane 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 13
  • Joined: 04-November 11

Posted 09 November 2011 - 07:46 PM

I've been following along with the book and the problem with admin user is that once rbac is in place admin and demo are disabled as part of using the tbl_user instead of the hard coded admin and demo.

At least I can't log in as admin or demo.

I added a user manually in the db so I can log in with that user now the same as Test_User_One and Test_User_Two and after fixing the link for add user I can see it now but I'm lost on how the app knows if these two test users or my new user are admins or not.
0

#12 User is offline   Joemaxwell 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 25
  • Joined: 13-February 13
  • Location:Fiji Via Melbourne

Posted 17 April 2013 - 10:25 PM

View PostRahul Kumar, on 07 February 2011 - 12:08 PM, said:

I have same version.

added loadmodel($id) also. still not working.



Try this out add the $id to the public function actionAdduser and loadModel.


public function actionAdduser($id)
{
$project = $this->loadModel($id);
if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))
............
...........
............
0

#13 User is offline   johnsnails 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 61
  • Joined: 05-September 11
  • Location:Sydney Australia

Posted 02 July 2013 - 10:53 PM

in case it helps someone.

I was using YiiBooster and created a new action
actionEditableSaver()
, i was getting this error message because I hadn't added it to:

array('allow', // allow authenticated user to perform 'create' and 'update' actions
            	'actions'=>array('create','update','EditableSaver'),
            	'users'=>array('@'),
        	),

0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users