Access Control not working [Solved]

Yii 2.0 General Discussions
1

I have implemented access control for the User class and it works as expected:


 

use yii\filters\AccessControl;

use yii\web\Controller;


class UserController extends Controller

{


public function behaviors()

    {

        return [

            'access' => [

                'class' => AccessControl::className(),

                'only' => ['register', 'login', 'logout', 'request-password-reset', 'reset-password', 'my-settings'],

                'rules' => [

                    [

                        'allow' => true,

                        'actions' => ['register', 'login', 'request-password-reset', 'reset-password'],

                        'roles' => ['?'],

                    ],

                    [

                        'allow' => true,

                        'actions' => ['logout', 'my-settings'],

                        'roles' => ['@'],

                    ],

                ],

            ],

        ];

    }

Now I am trying to implement on Profile controller, but it doesn’t work. It behaves as if there are no controls in place. I have carefully compared the two controllers and can’t see any meaningful differences. Am I missing something?




use yii\filters\AccessControl;

use yii\web\Controller;


class ProfileController extends Controller

{


public function behaviors()

    {

        return [

            'access' => [

                'class' => AccessControl::className(),

                'only' => ['my-profiles', 'create', 'preview', 'activate'],

                'rules' => [

                    [

                        'allow' => true,

                        'actions' => [],

                        'roles' => ['?'],

                    ],

                    [

                        'allow' => true,

                        'actions' => ['my-profiles', 'create', 'preview', 'activate'],

                        'roles' => ['@'],

                    ],

                ],

            ],

        ];

    }
2

Hi,

From Documentation:

? = matches a guest user (not authenticated yet)

@ = matches an authenticated user

Now, if I remember correctly…

I’m pretty sure profiles should only be available for authenticated users, right?

Take a close look at your rules in your ProfileController…

See my comment.




'rules' => [

    // here you ALLOW unauthenticated users. try setting this to "false".

    // OR allow only the action which displays a specific profile 

    // (if profiles should be public)

    [

        'allow' => true,

        'actions' => [],

        'roles' => ['?'],

    ],

    [

        'allow' => true,

        'actions' => ['my-profiles', 'create', 'preview', 'activate'],

        'roles' => ['@'],

    ],

],

Regards

3

Yes, you are right. That works. The guide states:

I take that to mean that if I pass an empty array, then no rules will be found for guest users and they will not be authorized. But, apparently not… It might be helpful to add a statement to the guide about empty arrays.

Thanks for you help!