Not sure if this is a bug:
I noticed that leaving an empty array in access rules breaks access restrictions e.g. ‘actions’=>array() but defining them with an empty string as below keeps access restrictions working:
public function accessRules()
{
return array(
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array(''),
'users'=>array('*'),
),
i.e. if empty array … the redirect for pages doesn’t happen