Access rules for the module


Does anybody know how to restrict access to whole module? Cause there are many controllers and actions, and it’s so tired to configure access rules for each action in each controller.

Thank you.

This will work for independent controllers or for controllers in modules, but you could always have all of the controllers within your module extend a base controller. Then, in that base controller override the beforeAction method and put your authorization code in there. If you’d like to use role-based access control, there’s a pretty good extension called srbac that utilizes this technique.

You can implement the beforeControllerAction like that:


class AdminModule extends CWebModule


	public function init()


		// this method is called when the module is being created

		// you may place code here to customize the module or the application

		// import the module-level models and components







	 *	Check if the user has the role admin

	 * if not, displays an error message

	 * @param Ccontroller the controller 

	 * @param string the action requested

	 * @return boolean weather to proceed with process the action


	public function beforeControllerAction($controller, $action)


		if(parent::beforeControllerAction($controller, $action))



				throw new CHttpException(403,'You are not authorized to perform this action.');

			// this method is called before any module controller action is performed

			// you may place customized code here

			return true;



			return false;



Loke that you can avoid to create a parent controller

Thanks for replies!

Zaccaria your method works fine, but I need to redirect to login page if user has not an access. If I write like this:

if ( !Yii::app()->user->checkAccess('admin') ) {

	Controller::redirect(Yii::app()->request->baseUrl . Yii::app()->user->loginUrl);


then I get an endless redirect, because the login action belongs to admin module too. If I write:

if ( Yii::app()->user->isGuest && Yii::app()->request->requestUri != Yii::app()->request->baseUrl . Yii::app()->user->loginUrl ) {

	Controller::redirect(Yii::app()->request->baseUrl . Yii::app()->user->loginUrl);


it works then, but looks terrible :lol:

I wrote here Yii::app()->user->isGuest, because I don’t need rbac, cause it’s only one privileged user, but I’m not sure it is safe way too.

For being safe is safe.

If the login is in admin module, there are no other solution, your is absolutely legal and ok.

I usually leave the login page out of admin module, because the admin page is a page on wich all user are allowed to go, and only user I want are allowed to continue in the restricted area.

My advice is to put the login out of admin module and to write just

if ( Yii::app()->user->isGuest) {

        Controller::redirect(Yii::app()->request->baseUrl . Yii::app()->user->loginUrl);


Yes it’s good solution, but I thought the module must be self-sufficient and I we put our login page out of the module it makes some inconveniences in future when we will want to carry our Admin Panel to new website. In this case we also need to recreate the login page view and the controller file for one, in addition also the model if we wanna use RBAC later. How do you solve these little troubles?

Guys, does anybody use the Uploadify in the module? I have a strange problem. If the data is sending via uploadify ( $_FILES array ) then Yii::app()->user->isGuest is true.