Baffled by Authentication

Maybe someone can help me out here because either I’ve done something wrong or I am misunderstanding something. Hopefully someone here understands it well enough to help out.

I have 4 Roles setup:

Admin

Guest - return Yii::app()->user->isGuest();

Registered User - Yii::app()->user->group==3;

Unapproved Users - Yii::app()->user->group==2;

I have a number of tasks and operations but as yet they are unassigned to any of the roles.

My Controller has the follwoing accessRules:


public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'index' and 'view' actions

				'actions'=>array('index'),

				'roles'=>array('Categories.Index'),

			),

            array('allow',  // allow all users to perform 'index' and 'view' actions

                'actions'=>array('view'),

                'roles'=>array('Categories.View'),

            ),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create'),

				'roles'=>array('Categories.Create'),

			),

            array('allow', // allow authenticated user to perform 'create' and 'update' actions

                'actions'=>array('update'),

                'roles'=>array('Categories.Update'),

            ),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin'),

				'roles'=>array('Categories.Admin'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

                'actions'=>array('delete'),

                'roles'=>array('Categories.Delete'),

            ),

            array('allow', // allow admin user to perform 'admin' and 'delete' actions

                'actions'=>array('deleteImage'),

                'roles'=>array('Categories.DeleteImage'),

            ),

		);

	}

Now, as a guest user, since the guest role doesn’t have “Categories.Index” assigned to it I assumed that the guest would have no access - but it does. What am I doing wrong here?

if any of rules won’t match - ‘allow’ is assumed by default.

add as the last rule:




array( 'deny' ) //deny overy request that did not matched any above rules...



Thanks. That’s done the trick :)