Hello,
I have installed and configured my app to use the modules user and rights by following carefully this doc :
yii-rights-doc-1.2.0.pdf
here is the organisation of the files :
protected
-modules
–user-
–rights-
–threads
—controllers
----ThreadsController.php
—models
----Threads.php
—views
----threads
-----[all views]
here is my protected/config/main.php :
25 'modules'=>array(
26 'threads',
......
40 'user'=>array(
41 'tableUsers' => 'users',
42 'tableProfiles' => 'profiles',
43 'tableProfileFields' => 'profiles_fields',
44 'debug'=>false,
45 ),
46 'rights',
......
49 'components'=>array(
50 'user'=>array(
51 // enable cookie-based authentication
52 //'allowAutoLogin'=>true,
53 'class' => 'RWebUser',
54 'allowAutoLogin'=>true,
55 'loginUrl' => array('/user/login'),
56 ),
57 'authManager'=>array(
58 'class'=>'RDbAuthManager',
59 'connectionID'=>'db',
60 'itemTable'=>'authitem',
61 'itemChildTable'=>'authitemchild',
62 'assignmentTable'=>'authassignment',
63 'rightsTable'=>'rights',
64 'defaultRoles'=>array('Authenticated', 'Guest'),
65 ),
......
I have this in protected/components/Controller.php
......
6 class Controller extends RController
......
I have this in my controller module protected/modules/threads/ThreadsController.php
......
3 class ThreadsController extends Controller
......
14 public function filters()
15 {
16 return array(
17 'rights',
18 'postOnly + delete', // we only allow deletion via POST request
19 );
20 }
21
22 public function allowedActions()
23 {
24 return 'index';
25 }
......
In the rights module management interface, I have :
-
3 roles defined : Admin / Authenticated / Guest
-
admin assigned to the roles Admin and Authenticated
-
phil assigned to the role Authenticated only
I haven’t defined any Permission, task or operation in the admin rights backend, so that nothing should be allowed to anybody except admin.
The problem, is that when I’m not logged in, I can Create, Update or Delete anything from my Threads module.
Any Idea what I’m missing ?
regards
Philippe