AccessControll rules misunderstanding

camohub · May 20, 2021, 2:18pm

I have controller where I want to deny access for only one method for not logged users. All other methods can be allowed for everyone. But my code allows access for everyone but not for logged in users.

public function behaviors()
{
    return [
	'access' => [
		'class' => AccessControl::className(),
		'rules' => [
			[
				'allow' => true,
				'roles' => ['?'],
			],
			[
				'actions' => ['subscribe'],
				'allow' => true,
				'roles' => ['@'],
			],
		],
	],
	'verbs' => [
		'class' => VerbFilter::className(),
		'actions' => [
			'subscribe' => ['post'],
		],
	],
     ];

}

Why logged in users can not access any method? I though that the first rule defines access for everyone [?] and the second for logged in [@] and only for action [subscribe]. What is wrong with that?
Thanks.

tri · May 20, 2021, 2:24pm

Wrong order (IIRC)

camohub · May 20, 2021, 2:35pm

Dont understand. Which order is wrong?

tri · May 20, 2021, 3:37pm

(Not the order)

To me it looks like you allow all actions to guest users, but only allow ‘subscribe’ to authenticated users.

" ACF performs the authorization check by examining the access rules one by one from top to bottom until it finds a rule that matches the current execution context. The allow value of the matching rule will then be used to judge if the user is authorized or not. If none of the rules matches, it means the user is NOT authorized, and ACF will stop further action execution."

https://www.yiiframework.com/doc/guide/2.0/en/security-authorization#access-control-filter

Note this in particular:
" In the code above ACF is attached to the site controller as a behavior. This is the typical way of using an action filter. The only option specifies that the ACF should only be applied to the login, logout and signup actions. All other actions in the site controller are not subject to the access control."

camohub · May 20, 2021, 4:00pm

Yes I resolved it the way I used only option.