Module Authentication - Not Throwing 403 Error

Yii 1.1 General Discussion
1

Here is my config:

DashboardModule:


public function init()

{

	$this->setComponents(array(

		'errorHandler' => array(

			'class'=>'CErrorHandler',

			'errorAction' => 'dashboard/default/error',

		),

		'user' => array(

			'class' => 'CWebUser',

			'stateKeyPrefix'=>'_dashboard',

		)

	));

		

	

	$this->setImport(array(

		'dashboard.models.*',

		'dashboard.components.*',

	));

}

UserIdentity:


// if valid user

$this->setState('is_admin', $user->is_admin); // either 1 or 0

ManagerController:


public function accessRules()

{

	return array(

		array('allow',  // allow admin users to access these actions only

			'actions'=>array('index', 'create'),

			'expression'=>'$user->is_admin',

		),

		array('deny',  // deny users

			'users'=>array('*'),

		),

	);

}

What I expect is when a non-admin user tries to access ‘index’ or ‘create’ action of ManagerController, then it should throw a 403 exception (access denied). Instead it seems to just thrown standard 404 not found error page.

Anybody got any idea why it could be doing this?

2

‘deniedCallback’ => array($this,‘actionSomething’),

3

I solved this. The problem was due to the separate ‘user’ object in setComponents - I took this out and it works OK now.

I think it may be because I am doing the login using the site controller and I am using UserIdentity class which exists in the “root” components folder. So because I set a ‘stateKeyPrefix’ in the module, it is looking for a different session key.

Since the site and the module are going to use a shared login, the module can instead just inherit the user object rather than creating a new one.