Hi guys,
following code should avoid unauthorized access in my application:
public function behaviors() {
return ['access' => [
'class' => AccessControl::className(),
'only' => ['logout', 'signup'],
'rules' => [[
'actions' => ['signup'],
'allow' => true,
'roles' => ['?'],],
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['@'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
public function actionLogin() {
$this->layout = "main-login";
if (!Yii::$app->user->isGuest) {
/* obgleich die Seite in denselbem Verzeichnis liegt, funktioniert render() nicht. Anstatt dessen das redirect() zum Aufruf des Dashboards
return $this->render('redirect'); // obsolet geworden */
return $this->redirect(["/site/index"]);
}
$model = new LoginForm();
if ($model->load(Yii::$app->request->post()) && $model->login()) {
return $this->goBack();
} else {
return $this->render('login', ['model' => $model]);
}
}
Following URL Manager will be implemented in config:
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => true,
'enableStrictParsing' => false,
'class' => 'yii\web\UrlManager',
'rules' => [
'/' => 'site/login',
'home' => 'site/index',
'reset' => 'site/request-password-reset',
'about' => 'site/about',
'kontakt' => 'site/contact',
.
.
.
How to avoid unauthorized access using following url in browser:
http://localhost/perswitch_dev/frontend/web/index.php/kontakt
This url only should be browseable, if user has been logged in! At the moment, web server will send request independently of logging in or not. So, user can see contact formular without having logged in before. That’s nonsense, of course. How to avoid rendering any page except login formular, if user types url manually?