Access control for admin.php

kenci · November 26, 2009, 6:02pm

Hi,

i have the index.php file for frontend and admin.php for backend operations. How can i prevent users to access admin.php? Only administrator should have access to admin.php. Is it possible to do an expression or something in the config file, or have i to edit all the controller files?

Thanks.

Backslider · November 26, 2009, 11:40pm

In your /protected/controllers/AdminController.php you will find a function accessRules(). Here you can set the users who can access admin, just set the same user for each action to allow:




'users'=>array('administrator'),

with the following to force login:




			array('deny',  // deny all users

				'users'=>array('*'),

			),

I actally found it easier to do admin backends as a module, with the access rules set in the module’s DefaultController.php. This gives an easy separation between front end and back end and I can create any number of controllers in the back end, with the default controller controlling access to all of them.

guillemc · November 27, 2009, 9:36am

This seems like a good idea, but I wonder how you can control access to your module’s controllers from inside the default controller. Could you please post an example DefaultController.php?

kenci · November 27, 2009, 6:05pm

So, i have done the following:

Created an AdminController besides the UserController in my module ‘user’.
Moved the ‘admin’, ‘create’, ‘update’, ‘delete’ actions from UserController to AdminController.
Moved the views ‘admin.php’, ‘create.php’, ‘update.php’, ‘delete.php’ to modules/user/views/admin
Modified access rules for AdminController that only admin has rights to access this controller.




return array(

  array('allow', // allow administrator to perform 'update' and 'create' actions

	'actions'=>array('update','create','admin','delete'),

	'expression'=>'KLevel::checkAccess($user, KLevel::ADMINISTRATOR)',

  ),

  array('deny',  // deny all users

	'users'=>array('*'),

  ),

);

Modified access rules for UserController




return array(

  array('allow',  // allow all users to perform 'list' and 'show' actions

	'actions'=>array('list','show'),

        'users'=>array('*'),

  ),

  array('allow', // allow authenticated user to perform 'profil' actions

	'actions'=>array('profile'),

	'users'=>array('@'),

  ),

  array('deny',  // deny all users

	'users'=>array('*'),

  ),

);

Now you can set e.g. admin theme and other admin relevant properties in AdminController::init()




public function init()

{

  Yii::app()->theme = 'themes/admin';

}

Backslider · November 27, 2009, 9:44pm

When you create a module using the Yiic shell script, another default controller is created, eg. /protected/modules/admin/controllers/DefaultController.php

This is the file I was referring to - it controls all access to the admin module and anything within it

guillemc · November 29, 2009, 1:33pm

Well, the part I don’t see is that accessRules() defined inside DefaultController actually control access to other controllers inside the admin module. It would only be like this if you set DefaultController as the parent of the other admin controllers, right?

Backslider · November 30, 2009, 12:17am

Everything inside the admin module is accessed like this:


index.php?r=admin/model/

So yes, they all inherit the access rules of the default controller.

Each model (created using Yiic CRUD) has this line:


	public $defaultAction='admin';