Accesscontrol. What Am I Doing Wrong?

I have PostsController and the following behavior() method within:




public function behaviors() {

    return [

      'access' => [

        'class' => \yii\web\AccessControl::className(),

        'rules' => [

          [

            'actions' => ['index', 'view'],

            'allow' => true,

            'roles' => ['*'],

          ],

          [

            'actions' => ['update', 'create'],

            'allow' => true,

            'roles' => ['@'],

          ],

        ]

      ]

    ];

  }



The code above doesn’t allow to perform index or view actions for both authenticated user and guest, but allow to create and update posts only for logged users.

What did I do wrong?

Just delete this thing:


'roles' => ['*'],

NB: ‘guests’ are ‘?’ now.

If understand correctly the line (‘roles’ => [’*’],) is deprecated now? We shouldn’t specify anything if we want to indicate any user?

Yes.

Notice that everything is blacklisted by default now, so if you want to allow access to some actions, list them inside ‘actions’ array.

You can also use ‘except’ key to exclude some actions. For example:


return [

    'access' => [

        'class' => 'yii\web\AccessControl',

        'except' => ['index', 'view'], // this is for all

        'rules' => [

            [

                'allow' => true,

                'roles' => array['@'], // all the rest is for auth users only

            ],

        ),

    ],

];

Example from official documentation:




'only' => ['create', 'update'],

'rules' => [

  // deny all POST requests

  [

    'allow' => false,

    'verbs' => ['POST']

  ],

  // allow authenticated users

  [

    'allow' => true,

    'roles' => ['@'],

  ],

  // everything else is denied

],



I can’t understand the logic of the first rule…

Why need to deny exactly POST requests to all users? Why not to set something like this:




  [

    'allow' => false,

    'roles' => ['?']

  ],



UPDATE: I’ve tested this code. It is not allowed even authenticate users to perform create and update actions. Is it correct?

Hmm, I’m not sure, maybe it’s just an example, so there’s no logic :)

Technically, this ruleset allows users to view the record as a form (but not to save this form).

Never seen this in real life though.

Spasibo kazhetsya ya ponyal!)

Thanks. Are rules inherited? As I understand - they are.

It can be useful for isolating POST actions, which may not only be FORM based, but also javascript or ajax trigerred. The use case for this will be implementing readonly accesses for specific parts of your page which trigger POST actions. For example, the Yii Gridview displays a delete button for each table row which triggers a POST request (you will not be able to execute such actions by implementing the rule). But you can still display the grid content to the users.

It will allow users to trigger actions through something like GET (again an example - this is used by the GridView for filtering records - so it will allow such actions).

The following code will disable all actions for GUESTS.




[

   'allow' => false,

    'roles' => ['?']

],