My idea is to add a new property to accessRules, so we can customize the error message from authentication failure. That should be good to add more information to end user about the error. For example:
array('allow',
'actions'=>array('update'),
'roles' => array(post::ROLE_ADMIN),
'expression' => '!Yii::app()->controller->loadPost()->isClosed()',
'failureMessage' => 'You dont have permission to alter closed posts!'),
)
The problem is that when evaluating the access rules, it is often a problem to accurately identify which rule actually fails the access. In your example, since this is an "allow" rule, it never fails the access, so its message won't get chance to be used.
Yes, it is an 'allow' rule, but at a specific time, the role and expression is analysed. At this moment, which raises an exception if conditions are not satisfied, our customized message could be used.