Is it possible to access an action for which you don't have permission

ajith · October 14, 2015, 3:23am

hi,

    Below given is a block of code for checking whether the user have permission to access an action





 public function behaviors()

        {

            return [

                'verbs' => [

                    'class' => VerbFilter::className(),

                    'actions' => [

                        'delete' => ['post'],

                    ],

                ],

                 'access' => [

                    'class' => AccessControl::className(),

                    'only' => ['index','index_reseller'],

                    'rules' => [

                       

                        [

                            'allow' => ( Yii::$app->session->get('role') == 2 ) ? TRUE : FALSE,

                            'actions' => ['index'],

                            'roles' => ['@'],

                        ],

                    ],

                    'denyCallback' => function ($rule, $action) {

    					return $this->redirect(['permission']);

    					}

                ],

                

            ];

        }

so basically a user having role value=2 only can access index action. Can any way one (user with role value not equal to 2) access the index action?

samdark · October 14, 2015, 11:36am

No. That’s the point of access control.

ajith · October 15, 2015, 4:04am

then how do guys hack? just curious

MetaCrawler · October 15, 2015, 6:16am

Most of today’s websites get hacked because of three things:

Access Control
Software Vulnerabilities
Third-Party Integrations

(above is copy & paste)

Some short examples:

They take over an account who has the permission to execute the action.
They give an account permissions through vulnerability (for example with XSS).
They highjack the php session of a permitted user.

… … …

There are plenty ways.

Just google: "How are websites hacked" and read.

Regards

ajith · October 16, 2015, 8:09am

so no way one can hack a website coz of Yii’s vulnerability, that’s all that i need to know. thanks

MetaCrawler · October 16, 2015, 9:15am

Hey,

Just for clarification:

I did not say developing with Yii is per se invulnerable.

In fact - I would never say any application or framework is "100% secure".

Regarding your application:

It depends only on you and your thought about security how secure your app is.

Yii only can help you secure your application with implemented tools and features.

But of course - Yii is also developed by humans.

It is always POSSIBLE that there is a undiscovered bug which causes security flaws.

Just keep that always in mind.

(Regardless of which framework you use)

Also think of other factors which can cause security flaws.

(For example a badly configured / secured webserver or database)

Regards

samdark · October 19, 2015, 8:01am

There are no known security issues in the Yii itself that would allow attacker to access actions secured with access control if the config of it is OK.