I’m trying to create an API which allows authenticated user and guest (with some conditions).
The behavior function is defined as follows (psuedo code):
function behaviors() {
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['?'],
'matchCallback' => function($rule, $action) {
return someCondition();
},
],
[
'allow' => true,
'roles' => ['@'],
]
],
],
'auth' => [
'class' => CompositeAuth::className(),
'authMethods' => [
HttpBasicAuth::className(),
SSOAuth::className(), // customized auth to check SSO login
],
],
]
}
If there’s just the ‘access’ in behaviors function, it works as intended. But when ‘auth’ is added to behaviors, it returns 401.
What should be the correct way to allow Guest access?