bambinou
(Benoitrivaux)
March 5, 2015, 10:41pm
1
Hello,
I have created a model, controller and crud for a table called "posts".
When the user type
http://yiiproject.com/index.php?r=posts
He still can see the view page of the crud, I am not understanding this because I have this those parameters in my controller:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['create','update','delete'],
'rules' => [
[
'allow' => true,
'roles' => ['@'], <---------------------------------??
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
];
}
Why not logged in users can still see that view page please?
Thank you,
Ben
markxast
(Mark)
March 6, 2015, 12:04am
2
Ben,
You may want to share your controller. But if you are using one generated by Gii, it generates actionView($id). You have to include ‘view’ in the ‘only’ array:
'only' => ['create','update','delete', 'view'],
Then guests are not allowed to run actionView.
bambinou
(Benoitrivaux)
March 6, 2015, 11:09pm
3
Hi MarkXast,
Thank you for the reply.
Yes I have used Gii to generate my files.
I have added in the controller this array as you said:
public function actionView($id)
{
return $this->render('view', [
'model' => $this->findModel($id),
'only' => ['create','update','delete', 'view'],
]);
}
But I am still able to view the grid widget without being logged in with this url
http://yiiproject.com/index.php?r=posts
Thanks,
Ben
timmy78
(Timothee Planchais)
March 8, 2015, 6:41pm
4
bambinou:
Hi MarkXast,
Thank you for the reply.
Yes I have used Gii to generate my files.
I have added in the controller this array as you said:
public function actionView($id)
{
return $this->render('view', [
'model' => $this->findModel($id),
'only' => ['create','update','delete', 'view'],
]);
}
But I am still able to view the grid widget without being logged in with this url
http://yiiproject.com/index.php?r=posts
Thanks,
Ben
You have to put this array in the behaviors…
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['create','update','delete', 'index'], //added index here
'rules' => [
[
'allow' => true,
'roles' => ['@'], <---------------------------------??
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
];
}
bambinou
(Benoitrivaux)
March 8, 2015, 9:55pm
5
I have now added this code in my PostsController.php but still the admin is able to "create" a post.
Could you please tell why it is not working or what am I doing wrong please, thank you.
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['view','delete','update'],
'rules' => [
[
'actions' => ['view'],
'allow' => true,
'roles' => ['@'],
],
[
'actions' => ['delete'],
'allow' => true,
'roles' => ['@'],
],
[
'actions' => ['update'],
'allow' => true,
'roles' => ['@'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
];
}
bambinou
(Benoitrivaux)
March 9, 2015, 11:23pm
6
Ok Found my error, it works in a different way than I first thought, you need to actually deny the action each time.
I thought that by just not adding the action it would have auto denied it but no…
Here is the new code:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['create','view','update','delete'],
'rules' => [
[
'actions' => ['create'],
'allow' => true,
'roles' => ['@'],
],
[
'actions' => ['view'],
'allow' => true,
'roles' => ['@'],
],
[
'actions' => ['update'],
'allow' => true,
'roles' => ['@'],
],
[
'actions' => ['delete'],
'allow' => true,
'roles' => ['@'],
],
],
],
bobonov
(Bobonov)
March 10, 2015, 5:13am
7
If you enable RBAC the default is deny on every action unless the user is allowed.
phtamas
(Phtamas)
March 10, 2015, 7:16am
8
bambinou:
Ok Found my error, it works in a different way than I first thought, you need to actually deny the action each time.
I thought that by just not adding the action it would have auto denied it but no…
If you want every action of a controller to be denied by default remove "only" from filter configuration:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['create', 'view', 'update', 'delete'],
'allow' => true,
'roles' => ['@'],
],
],
],
or, if you want to apply the same rules to every action, you can remove "actions" too:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['@'],
],
],
],
bambinou
(Benoitrivaux)
March 10, 2015, 8:50am
9
Thank you so much! I now understand well everything about rules, excellent !
bambinou
(Benoitrivaux)
March 10, 2015, 8:50am
10
Thank you so much! I now understand well everything about rules, excellent !