Restrict access to views for logged users

Hi

I am quite new to yii - after messing with kohana, ci, symphony, yii seems most logical. I am writing some application that uses crud operations on db tables - just simple as tutorial.

But I haven’t found how to restrict properly access to views where user is guest.

I managed to apply login against database users, so that is nice. And this is how I am trying to achieve that.

Let assume I have model mA which has view vA. When I run URL of my app I can see only LOGIN link with login screen (the very same as in testdrive app of yii), when user logs in, there are morel links to views of all models especially of model mA. Also logged user has the link LOGOUT(currentUser). When user clicks on LOGOUT he is moved to login screen and becomes guest again. But when user enters in URL: _http://yii/myapp/index.php?r=mA (view of model A) the page of model A with all the data is displayed, but THIS NOT WHAT I WANT.

So I put in main config this line:




'homeUrl'=>array('site/login'),



which points to login screen.

And in the _http://yii/myapp/protected/views/site/index.php I put:




// IF NOT LOGGED IN, GO TO LOGIN SCREEN

if(Yii::app()->user->isGuest)

{

$this->redirect(Yii::app()->homeUrl);

// IF NOT LOGGED IN, GO TO LOGIN SCREEN

}



So when I launch URL of the app it moves me to the login screen if user is guest. However I can manually go to views of all models, by launching URL’s. Do I have to enter the above code in every view of every model? For example in admin.php, create.php, index.php, update.php, view.php, to restrict access to them for authenticated users? Or is there any global function to do it?

Thanks in advance,

Tom

See the section Access Control Filter on this page

http://www.yiiframework.com/doc/guide/topics.auth

/Tommy

you can find it in your controller [whatever controller you wish to use if u have multiple controllers. ]

its in the public function accessRules. you can change this:




public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'list' and 'show' actions

				'actions'=>array('list','show', 'asx','dibs'),

				'users'=>array('*'),

			),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('@'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete'),

				'users'=>array('admin'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}




to this




public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'list' and 'show' actions

				'actions'=>array('list','show', 'asx','dibs'),

				'users'=>array('admin'),

			),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('admin'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete'),

				'users'=>array('admin'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}







whichever way you like ;)

Thank You! That is also why I like yii - nice forum responses :)

To deny anonymous users to display view of model A, I put in controller yii/myapp/protected/controllers/A_Controller.php something like this:




public function accessRules()

{

array('deny',  // deny anonymous users

'users'=>array('?'),

}



And I put this in every controller that I want to restrict access to.

How about main index page which loads when I launch main URL of application?

I tried to put the same code in yii/myapp/protected/controllers/SiteController.php but it doesn’t work… any clues where to put this code?

================

Ok when I added these lines:




<?php


class SiteController extends Controller

{


	/**

	 * @return array action filters

	 */

	public function filters()

	{

		return array(

			'accessControl', // perform access control for CRUD operations

		);

	}


	/**

	 * Specifies the access control rules.

	 * This method is used by the 'accessControl' filter.

	 * @return array access control rules

	 */

	public function accessRules()

	{

		return array(

			array('deny',  // deny anonymous users

				'users'=>array('?'),

			),

		);

	}

....


...


.

.

.

.




Firefox couldn’t open the page with strange info:

Which translates:

Incorrect redirection

Firefox found that server redirects request in a way that doesn’t allow to comply it.

  • This problem can arise when blocking cookies.

You should implement the action filters




	/**

	 * @return array action filters

	 */

	public function filters()

	{

		return array(

			'accessControl', // perform access control for CRUD operations

		);

	}



In order to explain the controller to take in consideration the rules.

Also remember that you cannot restrict the action login, and if you restrict the index, make sure that the index will be the default page for not logged users.

Hi zaccaria please look at my post above. I implemented filters() function to tell controller to apply access rules but then firefox couldn’t open the page.

How to make index default page for not logged users?

==================

OK - I managed to do that in actionIndex() method of SiteController.php:




public function actionIndex()

{

// renders the view file 'protected/views/site/index.php'

// using the default layout 'protected/views/layouts/main.php'


    

if(Yii::app()->user->isGuest)

    {

    // IF NOT LOGGED IN, GO TO LOGIN SCREEN

    $this->redirect(Yii::app()->homeUrl);

    // IF NOT LOGGED IN, GO TO LOGIN SCREEN

    }

else

    {

    $this->render('index');

    }

}



where homeUrl is defined as site/login in main.php config file. It works - anonymous users when call home URL get to login screen, but I don’t know if it is written in good yii/mvc manner…

Any suggestions appreciated.

you’re welcome… glad to be of help…

anyway… just want to share my case, i just filled up the ideal accessRules so that it won’t be a hassle anymore… like this:




public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'list' and 'show' actions

				'actions'=>array('list','show', 'asx','dibs'),

				'users'=>array('*'),

			),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('admin'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete'),

				'users'=>array('admin'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}



i just added that so everyone can see but only the admin can manage the data… plus i got an admin section in my webapp so it’s no big deal…

anyway, if you want log in to show up when users are not logged in, just put this





if(Yii::app()->user->isGuest)

	$this->redirect(Yii::app()->homeUrl.'?r=site/login'); 





if(!Yii::app()->user->isGuest)

	$this->redirect(Yii::app()->homeUrl.'?r=event');

	



[quote]
 r?=event is my primary model, you can change it to just $this->redirect(Yii::app()->homeUrl);

if you want it to just redirect to the homepage. <img src='http://www.yiiframework.com/forum/public/style_emoticons/default/smile.gif' class='bbc_emoticon' alt=':)' />
[/quote]




on the index.php of your views, and don’t change the homeUrl in your conig. just let it be as it was from default

What are these actions ‘list’,‘show’, ‘asx’,‘dibs’?




public function accessRules()

{

return array(

     array('allow',  // allow all users to perform 'list' and 'show' actions

     'actions'=>array('list','show', 'asx','dibs'),

     'users'=>array('*'),

      ),

);

}



I know standard create, update, delete, admin, but these above are your own written?

oh sorry…list, asx and dibs are custom controls… you just have to meddle with the view and show stuff.

view and show or list and show?

and these methods are? I couldnt’ find explanation in yii website of these actions - it means displaying the view of model and showing it…??

just the default ones…

this i think?




array('allow',  // allow all users to perform 'index' and 'view' actions

				'actions'=>array('index','view'),

				'users'=>array('*'),




change the * to admin

OK thanks a lot :wink:

hope it helps :D

Well, yii helps so much writing database-driven app and so on that I started to rewrite app after a year when I suspended it, because I was writing sql in the view :lol: to be true I had only view, no controller and model, because all MVC was in the view :rolleyes: thanks again!

hahaha… yeah… i was just like that a few weeks ago…i just started yii myself. ;) and i’m having my own set of problems too… :D it’s good to have a forum section here so people can exchange infos. :D

I’m quite new to Yii too; but since a google search for “Yii restrict access” still points here, I thought I would add my solution to this problem.

Out of rather large site, I only have a handful of controllers that should be accessible by guest, in my case, “Site” and one we use to manage a product we sell. All the other controllers for managing our accounts, invoices and our many databases should all be locked up tight and only logged in user should have access. That’s a lot of controllers to manually lock down. So, instead of having access rules defined in each controller (and risking forgetting some rules), I created a components called SecuredController that extends Controller.

In its init() function, I simply check if the user is a guest, and if it is, I redirect the user to the login page.

Now, for every controller that a guest user should not be accessing at all, I simply make sure those controllers are extending the SecuredController instead of Controller. As those controllers are instantiated and initialized they will automatically redirect the user if he is a guest. No need for access rules.

As they say, simpler is better, and if I can avoid having to maintain access rules, that’s a good thing in my books.