Ive recently finished setting up RBAC in my Yii2 app, and have some of the User::can() checks working as expected. Im making general rules for my controllers now, and have run into some odd behavior when a ‘deny’ is hit. Im using PhpManager instead of DbManager for RBAC, since my CMS is light and there will only be 2 users ever. I also had the expectation that the PhpManager version would be far faster than DbManager.
Whenever the current role lacks authorization to perform the current controller action, the application locks up for many seconds. Browser is unresponsive, operating system things the browser client is locked up, and after maybe 4-10 seconds, it responds with the appropriate ‘403’ or ‘404’ exception.
This happens if I have a ‘denyCallback’ property set or not. The default behavior (no ‘denyCallback’ defined) is no different than having a deny callable set - same slowness to respond. Here is the relevant code for my controller:
/**
* @inheritdoc
*/
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['view'],
'allow' => true,
'roles' => ['@']
],
[
'actions' => ['selectmediatype', 'create', 'index', 'update'],
'allow' => true,
'roles' => ['author']
],
[
'actions' => ['delete'],
'allow' => true,
'roles' => ['admin']
]
],
'denyCallback' => function ($rule, $action) {
throw new HttpException(403, "Invalid authorization for this action.");
}
]
];
}
Has anyone experienced this slowness, and/or have an explanation for it? I havent had time to dig deep into why. I can post my items.php, assignments.php, and rules.php if needed, but theyre quite simple and pretty much follow the example set in the Authorization Guide.