// if valid user
$this->setState('is_admin', $user->is_admin); // either 1 or 0
ManagerController:
public function accessRules()
{
return array(
array('allow', // allow admin users to access these actions only
'actions'=>array('index', 'create'),
'expression'=>'$user->is_admin',
),
array('deny', // deny users
'users'=>array('*'),
),
);
}
What I expect is when a non-admin user tries to access ‘index’ or ‘create’ action of ManagerController, then it should throw a 403 exception (access denied). Instead it seems to just thrown standard 404 not found error page.
I solved this. The problem was due to the separate ‘user’ object in setComponents - I took this out and it works OK now.
I think it may be because I am doing the login using the site controller and I am using UserIdentity class which exists in the “root” components folder. So because I set a ‘stateKeyPrefix’ in the module, it is looking for a different session key.
Since the site and the module are going to use a shared login, the module can instead just inherit the user object rather than creating a new one.