ACF allows restricted actions if action names are typos

I have issues with ACF ‘only’ options because if actions name are incorrect, the actions are allowed.

I have actionTesta, actionTestb




class SiteController extends Controller

{

    public function behaviors()

    {

        return [

            'access' => [

                'class' => AccessControl::className(),

                'only' => ['testa', 'testbb'],

                'rules' => [

                    [

                        'allow' => true,

                        'actions' => ['testa'],

                        'roles' => ['?'],

                    ],

                    [

                        'allow' => true,

                        'actions' => ['testbb'],

                        'roles' => ['@'],

                    ],

                ],

            ],

        ];

    }

    // ...

}



Because I accidentally typed wrong action name, now the actionTestb is accessed by all users. Is there a way to fix this issue ?

You could think as a firewall (should be configured), where every actions is denied and you have to write only what is allowed.

The only was to fix that is to avoid using "only".

the issue is Yii2 allow actions if they are not in ‘only’ options

SamDark recommends not to use ‘only’ options. When do I use ‘only’ because it does not work as I think it should ? (e.g. deny all actions, allows actions in ‘only’ and pass the rules)

The ‘only’ option is not an issue, but it is a setting, because using ‘only’ option you are enabling access filter only on that actions or conditions.

This is a programmer "error".

I got your point. But would you think it is better to not use ‘only’ ?

Because your rules still work and actions not in rules are automatically denied.

It depends. :)

I would use ‘only’ option if I’m applying conditions to some actions of a generally public area, but in a restricted area I don’t like to use ‘only’.