When authorization fails, i.e., the user is not allowed to perform the specified action, one of the following two scenarios may happen:
If the user is not logged in and if the loginUrl property of the user component is configured to be the URL of the login page, the browser will be redirected to that page. Note that by default, loginUrl points to the site/login page.
Otherwise an HTTP exception will be displayed with error code 403.
Is it possible to get it to display an error message of my choice? Or rather different error messages for different "return falses"?
I reproduced the behavior and after some investigating figured out what was happening.
If the user isn’t logged in, i.e. it’s a guest user, then, instead of throwing exception with user defined message, Yii tries to redirect user to the login page:
protected function accessDenied($user,$message)
throw new CHttpException(403,$message);
This method belongs to CAccessControlFilter class. $message in this code snippet is user defined message, i.e. the message you want to show. As you see, loginRequired() method gets called, which redirects user to the login page and doesn’t carry your message.
I think the only possible solution is to subclass CAccessControlFilter and override accessDenied() method. Also, you have to subclass CController and edit filterAccessControl method to use your new class instead of CAccessControlFilter.