Restrict access for unconfirmed accounts

So I am trying to implement email account verification.

If a user has not confirmed their email, they can still log in, but they should not be able to access any pages in the account module. So for example, if they try to access:



it should redirect the user to /account/default/confirm, which displays a message saying "You have not yet confirmed your account, please click the link in the confirmation email, or click here to resend the confirmation email".

I have tried the following:


class BaseController extends Controller


    protected function findUser($id)


        if (($model = User::findOne(['id' => $id, 'deleted_at' => null])) !== null) {

            if ($model->confirmed_at == null) {

                return $this->redirect(['/account/default/confirm']);


            return $model;

        } else {

            throw new NotFoundHttpException('The requested page does not exist.');





class ProfileController extends BaseController


    public function actionEdit()


        $user = $this->findUser(Yii::$app->user->id);

        $profile = $user->profile; // getProfile() relation in User model

        return $this->render('index', [

            'profile' => $profile,




The problem I am having is that it gives me an error : “Trying to get property ‘profile’ of non-object”.

So it seems, it is not terminating the request at the redirect. I know instead of doing "return redirect" in "findUser" I can do it in the controller action, but then I would have to do this for every action. Is there a better way of doing this?