The AccessRules for delete action doesn't function

fhelix72 · October 12, 2009, 3:30pm

Try to create a CRUD application with yiic for any class, change the accessRules() function by eliminating the ‘delete’ action in the array with ‘allow’ for admin users, at this point delete action should be denied, this is an example code of my users class:




	public function accessRules()

	{

		return array(

			array('allow',  // allow all users to perform 'list' and 'show' actions

				'actions'=>array('list','show'),

				'users'=>array('*'),

			),

			array('allow', // allow authenticated user to perform 'create' and 'update' actions

				'actions'=>array('create','update'),

				'users'=>array('@'),

			),

			array('allow', // allow admin user to perform 'admin' actions

				'actions'=>array('admin'),

				'users'=>array('admin'),

			),

			array('deny',  // deny all users

				'users'=>array('*'),

			),

		);

	}

but if you go in the admin page (users/index.php?r=users/admin) and try to delete a record you can do it anyway (i think it’s a bug), instead if you go to show the single record (users/index.php?r=users/show&id=10) and then try to delete it from here, in this case you are correctly blocked for not be authorized.

tri · October 12, 2009, 4:30pm

That’s because the admin view doesn’t use actionDelete.

See processAdminCommand() in the generated Controller.

/Tommy

fhelix72 · October 13, 2009, 7:55am

You’re right, now I found also this post related

http://www.yiiframework.com/forum/index.php?/topic/295-delete-action-in-crud-example/

I will change the linkbutton code as explained so it will pass through actiondelete

thanks