How to Block Access to pages after logout.

Quentinb · January 21, 2015, 11:35am

Hi,

So I will have a few public pages and many private pages on my website.

After a user has successfully logged-on, I will store a few sessions variables and give him a new menu with access to the private pages. After logging out, the user’s session will be destroyed and the menu will change back to the default. Now the user must not be able to access any private pages, not even by typing the url. The only way to get back to private pages must be to logon again.

I know I can check on each and every page if the session is not set, redirect to home page.

Is there any better way to do this?

I might end up with 60 private pages and don’t really want to go and validate session data on each page.

Thanks

bobonov · January 21, 2015, 3:40pm

You must define an access rule in you controller, like the following.




	public function behaviors() {

    	return [

        	'access' => [

            	'class' => AccessControl::className(),

            	'rules' => [

                	[

                    	'actions' => ['update', 'delete', 'insert'],

                    	'allow' => true,

                    	'roles' => ['@'],

                	],

            	],

        	],

    	];

	}

‘roles’ => [’@’] means authenticated user

‘allow’ => true, allow the access

Assuming the standard action of a controller, the ‘index’ (is not on the list) can be called by all (even not authenticated) but ‘update’, ‘delete’, ‘insert’ only by authenticated one.

Refer to the docs for further information:

http://www.yiiframew…rs.html#filters

http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#access-control-filter

If you need more control over user action (which user is authorized to do what => Authorization) you need to look for RBAC.

http://www.yiiframew…ss-control-rbac

Quentinb · January 22, 2015, 5:15am

Thank you, I will have a look at it.