In my website I have RBAC implemented, in my controllers I use something like this:
public function behaviors()
{
return [
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['index', 'view', 'create', 'update', 'delete'],
'allow' => true,
'matchCallback' => function ($rule, $action) {
return \Yii::$app->user->can('adminApp');
}
],
],
'denyCallback' => function ($rule, $action) {
if (Yii::$app->user->isGuest)
$this->redirect(['/login']);
else
$this->redirect(['/site/restrito',
'name' => Yii::t('app', 'Access denied'),
'message' => Yii::t('app', 'You have no permission to access this page'),
'url' => Yii::$app->urlManagerFrontend->createAbsoluteUrl(['/'])
]); //frontend url;
}
],
];
}
And it works great, but now I add the an extension to create a filemanager, the problem is that the actions on the controllers of this extension are accessible to everyone, what is the best approach to prevent access to this extension to non admin users?
In this case I’m talking about a filemanager extension, but this is similar in every extension.