How to avoid unauthorized access

tklustig · November 10, 2018, 12:04pm

Hi guys,
following code should avoid unauthorized access in my application:

    public function behaviors() {
    return ['access' => [
            'class' => AccessControl::className(),
            'only' => ['logout', 'signup'],
            'rules' => [[
            'actions' => ['signup'],
            'allow' => true,
            'roles' => ['?'],],
                [
                    'actions' => ['logout'],
                    'allow' => true,
                    'roles' => ['@'],
                ],
            ],
        ],
        'verbs' => [
            'class' => VerbFilter::className(),
            'actions' => [
                'logout' => ['post'],
            ],
        ],
    ];
}
public function actionLogin() {
    $this->layout = "main-login";
    if (!Yii::$app->user->isGuest) {
        /* obgleich die Seite in denselbem Verzeichnis liegt, funktioniert render() nicht. Anstatt dessen das redirect() zum Aufruf des Dashboards
          return $this->render('redirect'); // obsolet geworden */
        return $this->redirect(["/site/index"]);
    }
    $model = new LoginForm();
    if ($model->load(Yii::$app->request->post()) && $model->login()) {
        return $this->goBack();
    } else {
        return $this->render('login', ['model' => $model]);
    }
}

Following URL Manager will be implemented in config:

 'urlManager' => [
            'enablePrettyUrl' => true,
            'showScriptName' => true,
            'enableStrictParsing' => false,
            'class' => 'yii\web\UrlManager',
            'rules' => [
                '/' => 'site/login',
                'home' => 'site/index',
                'reset' => 'site/request-password-reset',
                'about' => 'site/about',
                'kontakt' => 'site/contact',
              .
              .
              .

How to avoid unauthorized access using following url in browser:
http://localhost/perswitch_dev/frontend/web/index.php/kontakt
This url only should be browseable, if user has been logged in! At the moment, web server will send request independently of logging in or not. So, user can see contact formular without having logged in before. That’s nonsense, of course. How to avoid rendering any page except login formular, if user types url manually?

softark · November 11, 2018, 2:27am

tklustig:

        'access' => [
            'class' => AccessControl::className(),
            'only' => ['logout', 'signup'],
            'rules' => [
                [
                    'actions' => ['signup'],
                    'allow' => true,
                    'roles' => ['?'],
                ],
                [
                    'actions' => ['logout'],
                    'allow' => true,
                    'roles' => ['@'],
                ],
            ],
        ],

Your ACF only applies to logout and signup actions. Other actions including contact are outside of the ACF and can be accessed freely.

Guide > Security > Authorization > Access Control Filter
https://www.yiiframework.com/doc/guide/2.0/en/security-authorization#access-control-filter

tklustig · November 11, 2018, 8:22am

So, if I understand u well, I have to define for each action method in controller rules using ? respectively @ combined with allow as Boolean in order to deny or to allow rendering? Is this interpretation of ur answer correct?

softark · November 11, 2018, 9:18am

It depends on your design, but I don’t think you have to define all the actions. Just add “contact” to the “only” parameter and add it to the rule for the logged in users,then guests will be denied to access “contact” action.

samdark · November 11, 2018, 12:59pm

It is quite flexible and is based on executing rules one by one. By default it’s “deny everything” and, ideally, it should stay as that allowing only certain rules to be executed.

tklustig · November 11, 2018, 1:04pm

Okay. Now I understod everything, apart from one final matter:
What about yii\filters\VerbFilter. Of course, I read official documentation, but what is necessity using this class? I’m able to allow or deny in a way U told me. Why should I be able to allow or deny HTTP request methods $_GET and $_POST? Additional question:
What about PUT and DELETE as parameter of assoziative array?

softark · November 11, 2018, 1:21pm

It is because you have to avoid CSRF attacks.
Guide > Security > Best Practice > Avoiding CSRF
https://www.yiiframework.com/doc/guide/2.0/en/security-best-practices#avoiding-csrf

In order to avoid CSRF you should always:

Follow HTTP specification i.e. GET should not change application state. See RFC2616 for more details.

Keep Yii CSRF protection enabled.

What about PUT and DELETE as parameter of assoziative array?

Do you mean ‘PUT’ and ‘DELETE’ for “verb” parameter? They are for RESTful API, I think.