Revision #3 has been created by samdark on Aug 28, 2011, 1:50:42 AM with the memo:
No need to specify users for deny rule
« previous (#2) next (#4) »
Configuring controller access rules to default-deny
array('allow', // allow authenticated users to access all actions
, // deny all users
when enabled with the `accessControl` token in `filters()`
-- are processed in order, from top to bottom, stopping at the first match. It's a common practice to place a deny to all at the end, as a catchall to insure that only intended users have access to this controller's actions.
But if no matches are made, Yii defaults to **allow**, and for many applications this is insecure and dangerous behavior. A developer not paying attention to his rules could find unauthorized users doing unauthorized things.
[...]Ref: [Extending common classes to allow better customization](http://www.yiiframework.com/wiki/121/extending-common-classes-to-allow-better-customization/)
Our approach is to fetch the current controller's `rules()`
which are defined in the real controller class for the particular set of actions
-- and add a default-deny to the list, then process the filters as the original `CController` code would:
[...]// default deny
$rules = array('deny'
, 'users'=>array('*') );
$filter = new CAccessControlFilter;
// other rules here
, 'users'=>array('*')) // default allow
Even those not implementing this article's technique would do well to add the default-allow rule even though it would be handled by Yii automatically so that others reading the code would **know** this was intended behavior.