Error 403 : You are not authorized to per-form this action.

Hello Folks,

Please help me out. I am stuck in Chapter 8.

I executed rbac command successfully for Authorization hierarchy.

When I click on ‘Add user to Project’. It says

Error 403

You are not authorized to per-form this action.

I don’t know what is happening.

Help me out.

May be you must be an admin for creating user, but you just login as user? Can you show your accessRules() for this controller?

Two things need to check:

1- Make sure that your accessRules() has allowed adduser action to & (signed in), and IT IS ON TOP OF ALL OTHER RULES OR AT LEAST JUST PUT IT ON TOP OF THE DENY ALL RULE. Don’t get me wrong, it is not required to be always on top of all other rules, but the default last rule in the book is to deny *, so if you put your adduser rule below it, you won’t have a chance to access action adduser.




	public function accessRules()

	{

		return array(

			array('allow',

						'actions' => array('index', 'view', 'adduser'),

						'users' => array('@')

			),

						

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('@'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete'),

				'users'=>array('admin'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}



2- If you have correctly updated your accessRules(), you need to check to make sure your account you’re using to sign in, is the user who has access to the operation ‘create new user’. This operation is obviously in task user management, and assigned to role owner. So the user must be the owner of the project you’re currently browse. Go selecting from your database to make sure on that.

In my case, I don’t know what going on, I stuck at this point (hope you don’t), while my database shows Test_User_One is the owner of the project, my accessRules is correctly set, but this god damn Yii::app()->checkAccess() always returns FALSE.

Your printed screen looks like you put this link: Add User To Project in wrong place, so you might also look into this file …\trackstar\protected\views\project\view.php and add it as the vertical menu item as below:




......

......

$this->menu=array(

	array('label'=>'List Project', 'url'=>array('index')),

	array('label'=>'Create Project', 'url'=>array('create')),

	array('label'=>'Update Project', 'url'=>array('update', 'id'=>$model->id)),

	array('label'=>'Delete Project', 'url'=>'#', 'linkOptions'=>array('submit'=>array('delete','id'=>$model->id),'confirm'=>'Are you sure you want to delete this item?')),

	array('label'=>'Manage Project', 'url'=>array('admin')),

	array('label'=>'Create Issue', 'url'=>array('issue/create', 'pid'=>$model->id)),

	array('label'=>'Add User To Project','url'=>array('adduser','id'=>$model->id)),

);

......

......



this is my accessrule :

public function accessRules()

{


	return array(


		array('allow',  //allow all users to perform 'index' and 'view' actions


			'actions'=>array('index','view','adduser'),


			'users'=>array('@'),


		),


		array('allow', // allow authenticated user to perform 'create' and 'update' actions


			'actions'=>array('create','update'),


			'users'=>array('@'),


		),


		array('allow', // allow admin user to perform 'admin' and 'delete' actions


			'actions'=>array('admin','delete'),


			'users'=>array('@'),


		),


		array('deny',  // deny all users


			'users'=>array('*'),


		),


	);


}

I have done some experiment. now my all users are able to perform admin and delete task.

Good news!,

so how about assigning Test_User_One to owner, and Test_User_Two to member of project 1, and back again follow the book and test whether you could see link Add User To Project, and if you do, then you could access that page with Test_User_One or Test_User_Two?

yeah I assigned perfectly owner role to one user, and one user as member.

Now member is not able to see Add user to Role link.

But the problem is everyone can manage the project

How to restrict members and readers?

They don’t see the link, it does not mean, they can not access that managing project page, so make sure you insert your check in every pages to prevent reader from member page, and to prevent member from owner page.

This is an example to restrict members and readers from gaining access to Add User To Project page.




public function actionAdduser($id)

{	

$project = $this->loadModel($id);

		

		/*

		if(!$project->isUserInRole('owner'))

		{

			throw new CHttpException(403,'Damn You!, you are not authorized to perform this action.');

		}

		*/

		

		if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))

		{

			throw new CHttpException(403,"Damn You!, you are not authorized to perform this action.");

		}

...............................

...............................



In my case, this won’t work since my checkAccess() always returned FALSE, but other confirmed that works. But my commented code works smoothly.

I have same code, but still now working.

public function actionAdduser()

{


	$form=new ProjectUserForm;


	$project = $this->loadModel();


	if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))


	{


		throw new CHttpException(403,'You are not authorized to per-form this action.');


	}


	// collect user input data


	if(isset($_POST['ProjectUserForm']))


	{


		$form->attributes=$_POST['ProjectUserForm'];


		$form->project = $project;


	// validate user input and set a sucessfull flassh message if valid


	if($form->validate())


	{


		Yii::app()->user->setFlash('success',$form->username . " has been added to the project." );


		$form=new ProjectUserForm;


	}


	}


	// display the add user form


	$users = User::model()->findAll();


	$usernames=array();


	foreach($users as $user)


	{


		$usernames[]=$user->username;


	}


	$form->project = $project;


	$this->render('adduser',array('model'=>$form, 'usernames'=>$usernames));


}

how about your loadModel() looks like? mine is loadModel($id).

I am using Yii 1.1.6 r2877, and how about you?

I have same version.

added loadmodel($id) also. still not working.

I’ve been following along with the book and the problem with admin user is that once rbac is in place admin and demo are disabled as part of using the tbl_user instead of the hard coded admin and demo.

At least I can’t log in as admin or demo.

I added a user manually in the db so I can log in with that user now the same as Test_User_One and Test_User_Two and after fixing the link for add user I can see it now but I’m lost on how the app knows if these two test users or my new user are admins or not.

Try this out add the $id to the public function actionAdduser and loadModel.

public function actionAdduser($id)

{


	$project = $this->loadModel($id);


	if(!Yii::app()->user->checkAccess('createUser', array('project'=>$project)))

in case it helps someone.

I was using YiiBooster and created a new action


actionEditableSaver()

, i was getting this error message because I hadn’t added it to:


array('allow', // allow authenticated user to perform 'create' and 'update' actions

            	'actions'=>array('create','update','EditableSaver'),

            	'users'=>array('@'),

        	),