Yii AccessRules not working

kilker12 · October 3, 2016, 8:00pm

This is driving me nuts. What am i doing wrong here?

No matter what I put for access rules they are seemingly ignored and I can access every page/action.

Here is my SiteController.php


<?php


namespace app\controllers;


use Yii;

use yii\web\Controller;

use app\models\LoginForm;

use app\models\Ticket;

use app\models\Product;


class SiteController extends Controller

{

    public function filters()

    {

        return array('accessControl');

    }

    public function accessRules()

    {

        return array(

            array('deny',

                'actions'=>array('index'),

            ),

        );

    }


    public function beforeAction($action)

    {

        if (!Yii::$app->user->isGuest)

        {

            if (!Yii::$app->user->identity->gotCwData)

            {

                Yii::$app->user->identity->getCwData();

            }

            Yii::$app->user->identity->openTickets = Ticket::getTicketCount();

        }

        return true;

    }


    /**

     * Displays homepage.

     *

     * @return string

     */

    public function actionIndex()

    {

        /*if(Yii::$app->user->isGuest && Yii::$app->controller->action->id != "login") {

            Yii::$app->user->loginRequired();

            $this->actionLogin();

            return true;

        }*/

        $agreements = Product::getAgreementList();

        $tickets = Ticket::getTickets();

        return $this->render('index', [

            'agreements' => $agreements,

            'tickets' => $tickets,

        ]);

    }


    /**

     * Login action.

     *

     * @return string

     */

    public function actionLogin()

    {

        if (!Yii::$app->user->isGuest) {

            return $this->goHome();

        }


        $model = new LoginForm();

        if ($model->load(Yii::$app->request->post()) && $model->login()) {

            return $this->goBack();

        }

        return $this->render('login', [

            'model' => $model,

        ]);

    }


    /**

     * Logout action.

     *

     * @return string

     */

    public function actionLogout()

    {

        Yii::$app->user->logout();


        return $this->goHome();

    }

}

Vojtech · October 3, 2016, 9:11pm

It seems you are using the Access Control from Yii 1.

The Access Control handling in Yii2 is described here:

http://www.yiiframework.com/doc-2.0/guide-security-authorization.html

kilker12 · October 3, 2016, 9:49pm

Wow thanks for pointing that out. I changed to behaviors and still nothing is working…


<?php


namespace app\controllers;


use Yii;

use yii\filters\AccessControl;

use yii\filters\VerbFilter;

use yii\web\Controller;

use app\models\LoginForm;

use app\models\Ticket;

use app\models\Product;


class SiteController extends Controller

{

    /**

     * @inheritdoc

     */

    public function behaviors()

    {

        return [

            'access' => [

                'class' => AccessControl::className(),

                'rules' => [

                    [

                        'actions' => ['login'],

                        'allow' => true,

                        'roles' => ['@'],

                    ],

                ],

            ],

        ];

    }


    public function beforeAction($action)

    {

        if (!Yii::$app->user->isGuest)

        {

            if (!Yii::$app->user->identity->gotCwData)

            {

                Yii::$app->user->identity->getCwData();

            }

            Yii::$app->user->identity->openTickets = Ticket::getTicketCount();

        }

        return true;

    }


    /**

     * Displays homepage.

     *

     * @return string

     */

    public function actionIndex()

    {

        /*if(Yii::$app->user->isGuest && Yii::$app->controller->action->id != "login") {

            Yii::$app->user->loginRequired();

            $this->actionLogin();

            return true;

        }

        $agreements = Product::getAgreementList();

        $tickets = Ticket::getTickets();

        return $this->render('index', [

            'agreements' => $agreements,

            'tickets' => $tickets,

        ]);*/

        return $this->render('index');

    }


    /**

     * Login action.

     *

     * @return string

     */

    public function actionLogin()

    {

        if (!Yii::$app->user->isGuest) {

            return $this->goHome();

        }


        $model = new LoginForm();

        if ($model->load(Yii::$app->request->post()) && $model->login()) {

            return $this->goBack();

        }

        return $this->render('login', [

            'model' => $model,

        ]);

    }


    /**

     * Logout action.

     *

     * @return string

     */

    public function actionLogout()

    {

        Yii::$app->user->logout();


        return $this->goHome();

    }

}

Vojtech · October 3, 2016, 10:14pm

The rule you have specified is applied only for the "login" action:


'actions' => ['login'],

If you want to restrict access to all action besides "login" etc. you will need to configure it differently.

Here is some example (listed actions are ignored and others require authenticated user):


    /**

     * @inheritdoc

     */

    public function behaviors()

    {

        return [

            'access' => [

                'class' => AccessControl::className(),

                'except' => ['index', 'login', 'signup', 'request-password-reset', 'reset-password', 'error'],

                'rules' => [

                    [

                        'allow' => true,

                        'roles' => ['@'],

                    ],

                ],

            ],

        ];

    }