AccessControl filter on parent and child controllers

GSTAR1 · October 6, 2019, 10:42am

Hi, I am trying to restrict access to specific actions in my controllers using the AccessControl filter. I have a parent controller class which contains the logic for ensuring only authenticated users can access the controllers. Then in my child controller classes I have the logic to check whether the user is allowed to access specific actions. There is simply an integer field in the user’s table which specifies their access level.

BaseController:

class BaseController extends Controller
{
    public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                    [
                        'allow' => true,
                        'roles' => ['@'],
                    ],
                ],
                'denyCallback' => function($rule, $action) {
                    return Yii::$app->user->loginRequired();
                },
            ],
            'verbs' => [
                'class' => VerbFilter::className(),
                'actions' => [
                    'delete' => ['POST'],
                ],
            ],
        ];
    }
}

CmsController:

class CmsController extends BaseController
{
    public function behaviors()
    {
        return ArrayHelper::merge(parent::behaviors(), [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                    [
                        'allow' => true,
                        'actions' => ['create', 'delete'],
                        'roles' => ['@'],
                        'matchCallback' => function($rule, $action) {
                            return Yii::$app->user->identity->access_level == 1;
                        },
                    ],
                    [
                        'allow' => true,
                        'actions' => ['index', 'view', 'update'],
                        'roles' => ['@'],
                        'matchCallback' => function($rule, $action) {
                            return Yii::$app->user->identity->access_level <= 3;
                        },
                    ],
                ],
            ],
        ]);
    }
}

However I found that this doesn’t work correctly, for example a user with access_level <= 3 can still access the create and delete actions.

Anybody know what is wrong with this code?

demonking · October 6, 2019, 4:06pm

It’s the correct behaviour.
See this line

github.com

yiisoft/yii2/blob/master/framework/filters/AccessRule.php#L167


public $denyCallback;




/**
 * Checks whether the Web user is allowed to perform the specified action.
 * @param Action $action the action to be performed
 * @param User|false $user the user object or `false` in case of detached User component
 * @param Request $request
 * @return bool|null `true` if the user is allowed, `false` if the user is denied, `null` if the rule does not apply to the user
 */
public function allows($action, $user, $request)
{
    if ($this->matchAction($action)
        && $this->matchRole($user)
        && $this->matchIP($request->getUserIP())
        && $this->matchVerb($request->getMethod())
        && $this->matchController($action->controller)
        && $this->matchCustom($action)
    ) {
        return $this->allow ? true : false;
    }

matchCallback function:

github.com

yiisoft/yii2/blob/master/framework/filters/AccessRule.php#L296


     */
    protected function matchVerb($verb)
    {
        return empty($this->verbs) || in_array(strtoupper($verb), array_map('strtoupper', $this->verbs), true);
    }


    /**
     * @param Action $action the action to be performed
     * @return bool whether the rule should be applied
     */
    protected function matchCustom($action)
    {
        return empty($this->matchCallback) || call_user_func($this->matchCallback, $this, $action);
    }
}

matchCustom will return true, because your “matchCallback” is not empty and your condition
would be true for all user with access_level <= 3.

Then the last check from the “if”

 return $this->allow ? true : false;

that’s also true, so the user is allowed to call this actions

Solution would be, to set “allow” to false, then user with <=3 not allowed to call this action

GSTAR1 · October 7, 2019, 7:33pm

@demonking thanks but that did not work. Setting allow to false did not make any difference.

Interestingly my code works as expected if I replace ArrayHelper::merge with array_merge - so this must be something to do with the ArrayHelper::merge function.