Is it possible to access an action for which you don't have permission


    Below given is a block of code for checking whether the user have permission to access an action

 public function behaviors()


            return [

                'verbs' => [

                    'class' => VerbFilter::className(),

                    'actions' => [

                        'delete' => ['post'],



                 'access' => [

                    'class' => AccessControl::className(),

                    'only' => ['index','index_reseller'],

                    'rules' => [



                            'allow' => ( Yii::$app->session->get('role') == 2 ) ? TRUE : FALSE,

                            'actions' => ['index'],

                            'roles' => ['@'],



                    'denyCallback' => function ($rule, $action) {

    					return $this->redirect(['permission']);






so basically a user having role value=2 only can access index action. Can any way one (user with role value not equal to 2) access the index action?

No. That’s the point of access control.

then how do guys hack? just curious

Most of today’s websites get hacked because of three things:

  1. Access Control

  2. Software Vulnerabilities

  3. Third-Party Integrations

(above is copy & paste)

Some short examples:

  1. They take over an account who has the permission to execute the action.

  2. They give an account permissions through vulnerability (for example with XSS).

  3. They highjack the php session of a permitted user.

… … …

There are plenty ways.

Just google: "How are websites hacked" and read.


so no way one can hack a website coz of Yii’s vulnerability, that’s all that i need to know. thanks


Just for clarification:

I did not say developing with Yii is per se invulnerable.

In fact - I would never say any application or framework is "100% secure".

Regarding your application:

It depends only on you and your thought about security how secure your app is.

Yii only can help you secure your application with implemented tools and features.

But of course - Yii is also developed by humans.

It is always POSSIBLE that there is a undiscovered bug which causes security flaws.

Just keep that always in mind.

(Regardless of which framework you use)

Also think of other factors which can cause security flaws.

(For example a badly configured / secured webserver or database)


There are no known security issues in the Yii itself that would allow attacker to access actions secured with access control if the config of it is OK.