Access Control Filter Not Working When Beforeaction Is Implemented

So I’m trying to deny access to the signup page when a user is logged in. I tried implementing an access control rule, but it does not seem to work. Here is the code I’ve implemented:


public function behaviors()

    {

        return [

            'access' => [

                'class' => AccessControl::className(),

                'only' => ['logout', 'signup'],

                'rules' => [

                    [

                        'actions' => ['signup'],

                        'allow' => false,

                        'roles' => ['@'],

                    ],

                    [

                        'actions' => ['signup'],

                        'allow' => true,

                        'roles' => ['?'],

                    ],

                    [

                        'actions' => ['logout'],

                        'allow' => true,

                        'roles' => ['@'],

                    ],

                ],

            ],

            'verbs' => [

                'class' => VerbFilter::className(),

                'actions' => [

                    'logout' => ['post'],

                ],

            ],

        ];

    }

Although the link to the signup page disappears when logged in, it is still accessible if you have the link to it. What’s more is that, you can sign up and create a new user while you’re already logged in. This probably isn’t that big of a deal, but I am concerned about what happens in the background (session id’s, cookies, etc.). Consequently, I’d like to eliminate access to the page from logged in users altogether. Some help would be appreciated.

Thanks.

its weird same code works on my machine I have tested it here is the SiteController





public function behaviors()

	{

		return [

			'access' => [

				'class' => AccessControl::className(),

				'only' => ['logout', 'signup'],

				'rules' => [

					[

						'actions' => ['signup'],

						'allow' => false,

						'roles' => ['@'],

					],

					[

                        'actions' => ['signup'],

                        'allow' => true,

                        'roles' => ['?'],

                    ],

					[

						'actions' => ['logout'],

						'allow' => true,

						'roles' => ['@'],

					],

				],

			],

			'verbs' => [

				'class' => VerbFilter::className(),

				'actions' => [

					'logout' => ['post'],

				],

			],

		];

	}




	public function actionSignup($value='')

	{

		echo 'signup';

	}

throws one big fat 403 saying "You are not allowed to perform this action." when you logged in but you can access it when you not logged in

Interesting… it seems to be that my “beforeAction” function is hindering it. When I comment out the “beforeAction” function, it works fine. Am I implementing it wrong? I don’t want “beforeAction” to override the accesscontrol once it’s been processed. Here’s the complete code.


public function beforeAction($action)

    {

        if (!Yii::$app->user->isGuest) {

            if (Yii::$app->user->identity->status == '5' && $this->getRoute() != 'site/confirm-email' && $this->getRoute()

                    != 'site/resend-email') {

                $this->redirect(['site/confirm-email']);

            }

        }

        return true;

    }

    

    /**

     * @inheritdoc

     */

    public function behaviors()

    {

        return [

            'access' => [

                'class' => AccessControl::className(),

                'only' => ['logout', 'signup'],

                'rules' => [

                    [

                        'actions' => ['signup'],

                        'allow' => false,

                        'roles' => ['@'],

                    ],

                    [

                        'actions' => ['signup'],

                        'allow' => true,

                        'roles' => ['?'],

                    ],

                    [

                        'actions' => ['logout'],

                        'allow' => true,

                        'roles' => ['@'],

                    ],

                ],

            ],

            'verbs' => [

                'class' => VerbFilter::className(),

                'actions' => [

                    'logout' => ['post'],

                ],

            ],

        ];

    }

Is this a problem with my code or a problem with the framework?

to be honest I am not developing with yii2. you have to take up with the core open an issue on github if its a bug they will sort it out

Did you tried to call "parent::beforeAction" on your "beforeAction()" method?





    public function beforeAction($action)

    {

        if(!parent::beforeAction($action)) {

            return false;

        }

        

        if (!Yii::$app->user->isGuest) {

            if (Yii::$app->user->identity->status == '5' && $this->getRoute() != 'site/confirm-email' && $this->getRoute()

                    != 'site/resend-email') {

                $this->redirect(['site/confirm-email']);

            }

        }

        return true;

    }

    



Figured I’d update this in case others come across it. Andre, what you suggest was exactly the solution. Seems a little circular to me, but it works. Here’s the code for anyone who wants to see it.


    public function beforeAction($action)

    {

        if (parent::beforeAction($action)) {

            if (!Yii::$app->user->isGuest) {

                if (Yii::$app->user->identity->status == '5' && $this->getRoute() != 'site/confirm-email' && $this->getRoute()

                    != 'site/resend-email') {

                    $this->redirect(['site/confirm-email']);

                }

            }

            return true;

        } else {

            return false;

        }

    }