I am building an advanced Yii2 project (with frontend and backend) where the backend part has the url www.example.com/admin, so far so good. I have created, using RBAC, two roles, (admin and users) and I would like to avoid that users can access to the backend part. I was thinking about creating a rule to attach to the user role that basically check the url and return a 403 Forbidden if the url contains the admin substring. I am not sure whether this could be the best way to achieve my goal or there might be better solutions.
However I have other controllers on my backend and I would like to avoid the possibility that users could invoke their actions, I should add rules on their behavior() methods for each backend controller am I right? I was looking for a less boilerplate option…
As a quick and dirty workaround, at the end of the day, I have attached an anonymous function that is executed on the beforeAction of each backend controller action: I have declared it in the backend/config/main.php in this way:
In the User Model class (that implements the IdentityInterface) I have created some methods that basically tells you which role the current user belongs (like isSomeRole() method in the code snipped example). That’s it!