I’m still new to this framework and MVC, so I may be doing something very stupid without realizing it.
I made a controller “userPanel”. It doesn’t have a model, since at the moment it doesn’t really need one. It just uses other models. In this case, only logged in users that are ALSO registered as “clients” in my database may access the controller actions. I already have that part working, but for the moment, it doesn’t matter how I check this.
I have a Controller class which processes all access rules, extending from CController. All of my controllers extend from Controller and don’t have access rules of their own.
The problem is that it doesn’t matter what access rules I have in my Controller class, userPanel ALWAYS allows access to any user. Kinda like how the site controller works, where every user can access its actions even if it’s not explicitly stated in the accessRules.
This is its accessRules method:
public function accessRules()
{
$access=array(
array(
'allow',
'controllers'=>array("poll"),
'actions'=>array("publicpoll"),//Every user can answer a poll, even anonymous
'users'=>array('*')
),
array(//User's public registration
'allow',
'controllers'=>array("user"),
'actions'=>array("register", 'captcha', 'complete'),
'users'=>array('*')
)
);
//If the user is logged in, add permissions
if (!Yii::app()->user->isGuest){
//If the user is a client, open access to the user panel and its features.
if(isset(Yii::app()->user->isClient)){
if (Yii::app()->user->isClient){
$access[]=array(
'allow',
'controllers'=>array("userPanel"),
'users'=>array(Yii::app()->user->name)
);
}
}
$command=Yii::app()->db->createCommand()->setText("
SELECT name, controller, action
FROM authitem
WHERE controller IS NOT NULL AND action IS NOT NULL
ORDER BY controller, action, name;
");
$authItemsReader=$command->query();
while ($row=$authItemsReader->read()){
$access[]=array(
'allow',
'controllers'=>array($row["controller"]),
'actions'=>array($row["action"]),
'roles'=>array($row["name"])
);
}
}
// deny all users that didn't have any permissions
$access[]=array(
'deny',
'users'=>array('*')
);
return $access;
}
It still needs some optimization, like changing that database query to UserIdentity and saving it in session, but that’s not one of my worries at the moment. But anyway, even if I remove every access rule in there, and leave only the deny rule, userPanel still lets users run its actions, while the other controllers act accordingly and deny permission since they are no longer included in any allow access rule. I’m at a loss.
This is my UserPanel controller:
class UserPanelController extends Controller
{
public $layout='//layouts/column1';
public function actionIndex()
{
$this->render('index');
}
/**
* Displays all of the active templates of the Ivizu module
*/
public function actionIvizuTempl()
{
Yii::app()->getModule('ivizu');
$dataProvider=new CActiveDataProvider('Template', array(
'criteria'=>array(
'condition'=>'status=1'//Only the active templates.
)
));
$this->render('ivizuTempl',array(
'dataProvider'=>$dataProvider,
));
}
/**
* Displays a specific Ivizu template for the user to see.
*/
public function actionTemplate($id){
Yii::app()->getModule('ivizu');
$templateModel=Template::model()->findByPk($id);
<A LOT OF CODE>
$html=$templateDOM->saveHTML();
echo $html;
}
... some more random method with nothing to do with accessRules
public static function arrangeTagValue($tags, $attribute, $urlAdd){
....
}
}
What am I doing wrong? (Besides the obvious refactoring that needs to be done here and there )