How to avoid unauthorized access

Hi guys,
following code should avoid unauthorized access in my application:

    public function behaviors() {
    return ['access' => [
            'class' => AccessControl::className(),
            'only' => ['logout', 'signup'],
            'rules' => [[
            'actions' => ['signup'],
            'allow' => true,
            'roles' => ['?'],],
                    'actions' => ['logout'],
                    'allow' => true,
                    'roles' => ['@'],
        'verbs' => [
            'class' => VerbFilter::className(),
            'actions' => [
                'logout' => ['post'],
public function actionLogin() {
    $this->layout = "main-login";
    if (!Yii::$app->user->isGuest) {
        /* obgleich die Seite in denselbem Verzeichnis liegt, funktioniert render() nicht. Anstatt dessen das redirect() zum Aufruf des Dashboards
          return $this->render('redirect'); // obsolet geworden */
        return $this->redirect(["/site/index"]);
    $model = new LoginForm();
    if ($model->load(Yii::$app->request->post()) && $model->login()) {
        return $this->goBack();
    } else {
        return $this->render('login', ['model' => $model]);

Following URL Manager will be implemented in config:

 'urlManager' => [
            'enablePrettyUrl' => true,
            'showScriptName' => true,
            'enableStrictParsing' => false,
            'class' => 'yii\web\UrlManager',
            'rules' => [
                '/' => 'site/login',
                'home' => 'site/index',
                'reset' => 'site/request-password-reset',
                'about' => 'site/about',
                'kontakt' => 'site/contact',

How to avoid unauthorized access using following url in browser:
This url only should be browseable, if user has been logged in! At the moment, web server will send request independently of logging in or not. So, user can see contact formular without having logged in before. That’s nonsense, of course. How to avoid rendering any page except login formular, if user types url manually?

Your ACF only applies to logout and signup actions. Other actions including contact are outside of the ACF and can be accessed freely.

Guide > Security > Authorization > Access Control Filter

So, if I understand u well, I have to define for each action method in controller rules using ? respectively @ combined with allow as Boolean in order to deny or to allow rendering? Is this interpretation of ur answer correct?

It depends on your design, but I don’t think you have to define all the actions. Just add “contact” to the “only” parameter and add it to the rule for the logged in users,then guests will be denied to access “contact” action.

It is quite flexible and is based on executing rules one by one. By default it’s “deny everything” and, ideally, it should stay as that allowing only certain rules to be executed.

Okay. Now I understod everything, apart from one final matter:
What about yii\filters\VerbFilter. Of course, I read official documentation, but what is necessity using this class? I’m able to allow or deny in a way U told me. Why should I be able to allow or deny HTTP request methods $_GET and $_POST? Additional question:
What about PUT and DELETE as parameter of assoziative array?

It is because you have to avoid CSRF attacks.
Guide > Security > Best Practice > Avoiding CSRF

In order to avoid CSRF you should always:

  1. Follow HTTP specification i.e. GET should not change application state. See RFC2616 for more details.
  2. Keep Yii CSRF protection enabled.

What about PUT and DELETE as parameter of assoziative array?

Do you mean ‘PUT’ and ‘DELETE’ for “verb” parameter? They are for RESTful API, I think.