Controller Allows Access Even If It's Not Included In The Accessrules?

I’m still new to this framework and MVC, so I may be doing something very stupid without realizing it.

I made a controller “userPanel”. It doesn’t have a model, since at the moment it doesn’t really need one. It just uses other models. In this case, only logged in users that are ALSO registered as “clients” in my database may access the controller actions. I already have that part working, but for the moment, it doesn’t matter how I check this.

I have a Controller class which processes all access rules, extending from CController. All of my controllers extend from Controller and don’t have access rules of their own.

The problem is that it doesn’t matter what access rules I have in my Controller class, userPanel ALWAYS allows access to any user. Kinda like how the site controller works, where every user can access its actions even if it’s not explicitly stated in the accessRules.

This is its accessRules method:




public function accessRules()

    {

        $access=array(

            array(

                'allow',

                'controllers'=>array("poll"),

                'actions'=>array("publicpoll"),//Every user can answer a poll, even anonymous

                'users'=>array('*')

            ),

            array(//User's public registration

                'allow',

                'controllers'=>array("user"),

                'actions'=>array("register", 'captcha', 'complete'),

                'users'=>array('*')

            )

        );


        //If the user is logged in, add permissions

        if (!Yii::app()->user->isGuest){

            //If the user is a client, open access to the user panel and its features.

            if(isset(Yii::app()->user->isClient)){

                if (Yii::app()->user->isClient){

                    $access[]=array(

                        'allow',

                        'controllers'=>array("userPanel"),

                        'users'=>array(Yii::app()->user->name)

                    );

                }

            }


            $command=Yii::app()->db->createCommand()->setText("

            SELECT name, controller, action

            FROM authitem

            WHERE controller IS NOT NULL AND action IS NOT NULL

            ORDER BY controller, action, name;

            ");


            $authItemsReader=$command->query();


            while ($row=$authItemsReader->read()){

                $access[]=array(

                    'allow',

                    'controllers'=>array($row["controller"]),

                    'actions'=>array($row["action"]),

                    'roles'=>array($row["name"])

                );

            }

        }


        // deny all users that didn't have any permissions

        $access[]=array(

            'deny',

            'users'=>array('*')

        );

        return $access;

    }



It still needs some optimization, like changing that database query to UserIdentity and saving it in session, but that’s not one of my worries at the moment. But anyway, even if I remove every access rule in there, and leave only the deny rule, userPanel still lets users run its actions, while the other controllers act accordingly and deny permission since they are no longer included in any allow access rule. I’m at a loss.

This is my UserPanel controller:


class UserPanelController extends Controller

{

    public $layout='//layouts/column1';


	public function actionIndex()

	{

		$this->render('index');

	}


    /**

     * Displays all of the active templates of the Ivizu module

     */

    public function actionIvizuTempl()

    {

        Yii::app()->getModule('ivizu');

        $dataProvider=new CActiveDataProvider('Template', array(

            'criteria'=>array(

                'condition'=>'status=1'//Only the active templates.

            )

        ));

        $this->render('ivizuTempl',array(

            'dataProvider'=>$dataProvider,

        ));

    }


    /**

     * Displays a specific Ivizu template for the user to see.

     */

    public function actionTemplate($id){

        Yii::app()->getModule('ivizu');

        $templateModel=Template::model()->findByPk($id);

        <A LOT OF CODE>

        $html=$templateDOM->saveHTML();

        echo $html;

    }


    ... some more random method with nothing to do with accessRules

     public static function arrangeTagValue($tags, $attribute, $urlAdd){

         ....

     }

}

What am I doing wrong? (Besides the obvious refactoring that needs to be done here and there :P)

Where are your access rules set? Which file? can you paste that file too? If you want all your controllers to inherit everything from a controller, then you should probably create another controller that extends "Controller" and have all your controllers extend the new one.

Like:


class MasterController extends Controller{


$access=array(

            array(

                'allow',

                'controllers'=>array("poll"),

                'actions'=>array("publicpoll"),//Every user can answer a poll, even anonymous

                'users'=>array('*')

            ),

            array(//User's public registration

                'allow',

                'controllers'=>array("user"),

                'actions'=>array("register", 'captcha', 'complete'),

                'users'=>array('*')

            )

        );

//any other code you want all your controllers to inherit

}


class UserPanelController extends MasterController{ 

...

}



make sense?

Yeah, like I said, all of my controllers extend from Controller. Controller is the one with the access rules, and the ones that extend it don’t have any of their own.

It’s like this.

CController—>Controller(This one was created by default in my components folder)—>All of my controllers (including userPanel).

And the accessRules method I posted is in my Controller class.

All of my controllers are like this:


class UserController extends Controller


class UserPanelController extends Controller




class PollController extends Controller

Etc., you get the idea.

And Controller extending from the Yii Base class CController


/**

 * Controller is the customized base controller class.

 * All controller classes for this application should extend from this base class.

 */

class Controller extends CController

Containing the posted access rules:


/**

     * Specifies the access control rules.

     * This method is used by the 'accessControl' filter.

     * @return array access control rules

     */

    public function accessRules()

    {

//that code from before

}