strange CaccessRules

saegeek · April 27, 2012, 9:36am

Hi,

I’m trying to deny access for non-admin user to all actions with the following code :




public function accessRules() {

    return array(array('deny','actions'=>array(),'users'=>array(

        '*',

    )),array('deny','actions'=>array(),'users'=>array(

        '@',

    )),array('deny','actions'=>array(),'users'=>array(

        'admin',

    )),array('deny','users'=>array(

        '*',

    )));

}

Using the code above, Yii allows all actions to all users.

is it normal ?

CeBe · April 27, 2012, 9:59am

Your rules do not apply to any actions, so if yii has an action it searches for a rules that is defined for it. If there is no matching deny rule, it will not deny.

saegeek · April 27, 2012, 2:21pm

This is not what I had read in the class reference:

http://www.yiiframework.com/doc/api/1.1/CAccessRule#actions-detail

CeBe · April 27, 2012, 7:17pm

Guess you have to remove that ‘actions’=>array() there.

Simply define the rule without specifying anything about the actions

saegeek · April 27, 2012, 9:01pm

This is what i did but i get the same result (guest users can access all actions) :




    public function accessRules() {

        return array(array('deny','users'=>array(

            '*',

        )),array('deny','users'=>array(

            '@',

        )),array('allow','users'=>array(

            'admin',

        )),array('deny','users'=>array(

            '*',

        )));

    }

saegeek · April 29, 2012, 9:00am

oops i forgot:

saegeek · May 1, 2012, 10:44am

Or at least how i can quickly deny all actions to all users except ‘admin’ ?

abennouna · May 1, 2012, 10:51am

Like this?


array('allow', 'users'=>array('admin')),

array('deny', 'users'=>array('*')),

saegeek · May 1, 2012, 11:12am

Using this code i can access all actions while i’m logged out

Test it yourself

abennouna · May 1, 2012, 12:02pm

I’ve just tried. Just created a controller with gii’s controller generator, and added controller filter rules (because they are not included by default):


class OtherController extends Controller

{

    public function filters()

    {

        return array(

            'accessControl',

        );

    }


    public function accessRules()

    {

        return array(

            array('allow', 'users'=>array('admin')),

            array('deny', 'users'=>array('*')),

        );

    }

…

It works as it’s intended to:

When no one is logged, no access.
If someone is logged outside ‘admin’ login, no access.
If ‘admin’ login is successfully logged, full access.

(I created the controller with 2 dummy actions just to be sure).

If your controller looks like above, I think you have to check your code, or post your config file and controller

saegeek · May 1, 2012, 12:42pm

oops i just found the problem, I did not realize that i had deleted the following:




public function filters() {

    return array('accessControl');

}