Yii Framework Forum: Accesscontrol. What Am I Doing Wrong? - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Accesscontrol. What Am I Doing Wrong?

#1 User is offline   kalopsia 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 27
  • Joined: 05-February 14

Posted 26 March 2014 - 12:36 PM

I have PostsController and the following behavior() method within:

public function behaviors() {
    return [
      'access' => [
        'class' => \yii\web\AccessControl::className(),
        'rules' => [
          [
            'actions' => ['index', 'view'],
            'allow' => true,
            'roles' => ['*'],
          ],
          [
            'actions' => ['update', 'create'],
            'allow' => true,
            'roles' => ['@'],
          ],
        ]
      ]
    ];
  }


The code above doesn't allow to perform index or view actions for both authenticated user and guest, but allow to create and update posts only for logged users.
What did I do wrong?
0

#2 User is offline   ORey 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,701
  • Joined: 20-April 09
  • Location:Moscow, Russia

Posted 26 March 2014 - 12:39 PM

Just delete this thing:
'roles' => ['*'],


NB: 'guests' are '?' now.
God is real unless declared as integer
0

#3 User is offline   kalopsia 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 27
  • Joined: 05-February 14

Posted 26 March 2014 - 12:49 PM

If understand correctly the line ('roles' => ['*'],) is deprecated now? We shouldn't specify anything if we want to indicate any user?
0

#4 User is offline   ORey 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,701
  • Joined: 20-April 09
  • Location:Moscow, Russia

Posted 26 March 2014 - 01:00 PM

View Postkalopsia, on 26 March 2014 - 12:49 PM, said:

If understand correctly the line ('roles' => ['*'],) is deprecated now? We shouldn't specify anything if we want to indicate any user?


Yes.
Notice that everything is blacklisted by default now, so if you want to allow access to some actions, list them inside 'actions' array.

You can also use 'except' key to exclude some actions. For example:

return [
    'access' => [
        'class' => 'yii\web\AccessControl',
        'except' => ['index', 'view'], // this is for all
        'rules' => [
            [
                'allow' => true,
                'roles' => array['@'], // all the rest is for auth users only
            ],
        ),
    ],
];

God is real unless declared as integer
0

#5 User is offline   kalopsia 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 27
  • Joined: 05-February 14

Posted 26 March 2014 - 01:22 PM

Example from official documentation:

'only' => ['create', 'update'],
'rules' => [
  // deny all POST requests
  [
    'allow' => false,
    'verbs' => ['POST']
  ],
  // allow authenticated users
  [
    'allow' => true,
    'roles' => ['@'],
  ],
  // everything else is denied
],


I can't understand the logic of the first rule..
Why need to deny exactly POST requests to all users? Why not to set something like this:
  [
    'allow' => false,
    'roles' => ['?']
  ],


UPDATE: I've tested this code. It is not allowed even authenticate users to perform create and update actions. Is it correct?
0

#6 User is offline   ORey 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,701
  • Joined: 20-April 09
  • Location:Moscow, Russia

Posted 26 March 2014 - 01:27 PM

Hmm, I'm not sure, maybe it's just an example, so there's no logic :)

Technically, this ruleset allows users to view the record as a form (but not to save this form).
Never seen this in real life though.
God is real unless declared as integer
0

#7 User is offline   kalopsia 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 27
  • Joined: 05-February 14

Posted 26 March 2014 - 03:17 PM

Spasibo kazhetsya ya ponyal!)
Thanks. Are rules inherited? As I understand - they are.
0

#8 User is offline   Kartik V 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 629
  • Joined: 29-August 12

Posted 28 March 2014 - 06:23 AM

View Postkalopsia, on 26 March 2014 - 01:22 PM, said:

I can't understand the logic of the first rule.. Why need to deny exactly POST requests to all users?

It can be useful for isolating POST actions, which may not only be FORM based, but also javascript or ajax trigerred. The use case for this will be implementing readonly accesses for specific parts of your page which trigger POST actions. For example, the Yii Gridview displays a delete button for each table row which triggers a POST request (you will not be able to execute such actions by implementing the rule). But you can still display the grid content to the users.

It will allow users to trigger actions through something like GET (again an example - this is used by the GridView for filtering records - so it will allow such actions).

The following code will disable all actions for GUESTS.
[
   'allow' => false,
    'roles' => ['?']
],

0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users