Restricting Views For Guest Login

ronallensmith · September 26, 2013, 2:39am

Hi,

After reviewing http://www.yiiframework.com/doc/guide/1.1/en/topics.auth, I edited …protected/controllers/MyModelController.php to the following:




	public function accessRules()

	{

		return array(

			array('deny', // deny Guest user to perform 'create', 'update' and 'delete' actions

				'actions'=>array('create','update','delete'),

				'users'=>array('Guest'),

			),

			array('allow', // allow admin user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('admin'),

			),

			array('allow', // allow admin user to perform 'admin' and 'delete' actions

				'actions'=>array('admin','delete'),

				'users'=>array('admin'),

			),

			array('allow',  // allow all users to perform 'index' and 'view' actions

				'actions'=>array('index','view'),

				'users'=>array('@'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

			array('deny', // deny 'delete' action for all contexts

				'actions'=>array('delete'),

			

			),

		);

	}

This seems to point all attempts to bypass the login page, by manually fiddling with the URL, back to the …index.php/site/login page. I’m just running this by the Group for any other improvements, suggestions or gotchas.

ronallensmith · September 26, 2013, 5:10am

Now I have the next problem. Using the above access rules, can someone point me to the material I need to study in order to have these two users redirected to different views after they log in? Right now, I have to manually add the route to the URL. e.g. …MyApp/index.php/site/login/ --> …MyApp/index.php/MyModel/ Would this involve making changes to the MyModelController? and/or View(s)?? A tap on the shoulder and a finger pointing in the right direction would help.

konapaz · September 26, 2013, 8:32am

Hi

You have to check in controller/action who is the user, create a condition in the action.

set the return url according to the user


Yii::app()->user->returnUrl=array('controller/action');

redirect to the login if user has no permission (checking by Yii::app()->user->id)
Remember that all user should have permission to this action, so remove the appropriate rule from accessRules()

ronallensmith · September 30, 2013, 7:43am

Thanks KonApaz,

I worked out step (1) with your suggestion. Now I need to code in the condition(s) for a Guest login and a Url back to the login page if auth/auth fails. Thanks again, …really appreciated.

Balu · September 30, 2013, 8:25am

Make like this

array(‘allow’, // allow all users to perform ‘index’ and ‘view’ actions

			'actions'=&gt;array('index','view'),


			'users'=&gt;array('@'),


		),

@ - actions only allows logged users to view that page.

konapaz · September 30, 2013, 10:20am

Balu:

Make like this

array(‘allow’, // allow all users to perform ‘index’ and ‘view’ actions
			'actions'=&gt;array('index','view'),


			'users'=&gt;array('@'),


		),
@ - actions only allows logged users to view that page.

The way that Balu suggested is a general way in Yii

If you want more specific with your condition


if (Yii::app()->user->isGuest) { //or more conditions

  Yii::app()->user->returnUrl=array('controller/action');

  $this->redirect(array('site/login'));

}

ronallensmith · October 1, 2013, 7:58am

The following seems to work for redirecting to two different views based on identity of user, but I’d like someone to check it’s validity and best practices, since I’m a newbie:




    # protected/controllers/SiteController.php


    public function actionLogin()

    {

        $model=new LoginForm;


        // if it is ajax validation request

        if(isset($_POST['ajax']) && $_POST['ajax']==='login-form')

        {

            echo CActiveForm::validate($model);

            Yii::app()->end();

        }


        // collect user input data

        if(isset($_POST['LoginForm']))

        {

            $model->attributes=$_POST['LoginForm'];

            // validate user input and redirect to the specified page if valid

            if($model->validate() && $model->login() && Yii::app()->user->name == 'admin')

                        {

                                $this->redirect(Yii::app()->user->returnUrl=array('MyModelController/admin'));

                        }

                        else

                        {

                                $this->redirect(Yii::app()->user->returnUrl=array('MyModelController/index'));

                        }          

                }

        // display the login form

    $this->render('login',array('model'=>$model));

        }

How’s this? Now the only thing left is to have the else{} clause redirect to a cloned admin view without the Delete and Update buttons, instead of index, as in this test. Can Gii be used to generate the other view, or whatever? Anyone have any hints?