authentication for whole system

I am a newbie to Yii. I am currently developing a web application where users must login first in order to use our system. how can we guard this line so that whenever users are not loggedin or logout, they will be redirected to the login page?

thanks in advance

Please start with reading the Guide and in particular the Authentication and Authorization section. It contains everything you need to work out the answer.

Yea, thanks, I forgot to mention that I have read 90% of tutorials available on this site.

What’s the 10% you haven’t read?

you are kidding, right?

ok, may be let me say that I know how to guard for each controller because they have access rule. but I just don’t know how to guard for the whole system in one shot.

we woudn’t do it in all controllers right?

If you want to restrict authenticated/guest users from controller actions, you can do this by implementing the access control filter and specifying rules using the accessRules method of the controller.

You should not be implementing this as a system wide thing but on a per controller basis.

you mean "You should not be implementing this as a system wide thing but on a per controller basis."

I was thinking, if all controller extends from controller which extends Ccontroller, would that be possible to do anything in the Controller class, instead of doing the same in all its sub controllers.

sorry, that makes no sense to me. what do you mean exactly?

all controllers we create extend from the Controller class, which locates in the protected/component/Controller.php right?

what I mean is that instead of applying rules to sub controllers, like if user is not logged in,then redirect user to login page. why not just apply it to the parent Controller class. this way, we don’t need to do the same logic for sub controllers. hope this is clear…

first I agree with wk

please try to read tutorial on yii_guide. it provides rich tutorial to understand Newbie.

and bingjie2680 is talking about extend controller in which specifying all access rules ;)

@bingjie2680 ,

why you want to give whole system access to single controller though there are many controllers ,

we use controller per module so we give access to each controller.

what you want to do is totally wronge

means it not follow MVC architecture that everything divided in module.

ok, I will try that. thanks for the all replies.

This extension may help you. There are also other extensions on authorization.

Not at all. If I unserand bingjie2680 correctly, he wants to implement a basic level of access controll in the parent class of every controller and this is perfectly fine:

class Controller extends CController


  public function accessRules () {

    return array(

      array('allow', 'controllers' => array('site')),


            'users' => array('@')),

      array('allow', 'roles' => array('admin')),

      array('deny', 'users' => array('?')),




If you need to restrict access to a particular controller based on some other criteria like role just implement the accessRules() in the child class

class AlumniController extends Controller {


  public function accessRules () {

    return array(


              'roles' => array('alumni')






Works perfectly because having the role ‘alumni’ implies beeing a logged-in user.

I personally would not put any access rules in a parent controller because as soon as I want to introduce something as basic as a role, biz rule or some other item, then I have to start calling the parent method, merging arrays etc. and it just looks ugly. I also try not to rely on parent controllers either as to limit decoupling/dependency of classes throughout my applications.

You may also not want authentication for a particular action e.g. site/login site/password-reset and so on, so again, I’d have to start over writing access rules of the parent controller.

My advice is to try it, see if it works for you.

Extend CWebApplication or(CWebModule) and implemtent its


See how gii is implemented.