So I applied the rbac permissions on my SupplierController.php and I decided to add other permissions to resource controller
So I updated the code for the resource controller
$resourceindex = $auth->createPermission('resource/index');
$resourceindex->description = 'Index Resources';
$auth->add($resourceindex);
// add view details resource permission
$resourceview = $auth->createPermission('resource/view');
$resourceview->description = 'View Resources';
$auth->add($resourceview);
ResourceController.php
public function behaviors()
{
return [
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['POST'],
],
],
'access' => [
'class' => \yii\filters\AccessControl::className(),
'only' => ['index','create','update','view'],
'rules' => [
// allow authenticated users
[
'allow' => true,
'roles' => ['@'],
'matchCallback' => function($rules, $action) {
$action = Yii::$app->controller->action->id;
$controller = Yii::$app->controller->id;
$route = "$controller/$action";
$post = Yii::$app->request->post();
if ( \Yii::$app->user->can($route) ) {
return true;
}
}
],
// everything else is denied
],
],
];
}
After configuring the ResourceController code I cannot access anymore the Resource Index and View it supposed to only prevent the "externaluser" from updating and deleting.