User Authentication & Management

I know that we have multiple useful extensions that provides this feature, but I think that a built-in user authentication & management module is a must for all the web frameworks. Look Django and web2py :)

I don’t think these are good candidates for a core framework. Still, I agree that this is the very common task so maybe will consider to putting up an official package for it.

You’re right, I agree


It would be helpful if checkAccess() could be disabled in config for debugging, so it would always return true.

One more thumb up, for including authentication & authorization management module in official package.


Have a look at there are plenty of very good user and auth modules with GUI already:

Just to name a few … :)

Maybe I have misunderstood his words but I think that samdark has already talked about them:

Further I think that, except the 2 first ones, these extensions are not a complete user authentication & management system (with user authentication, registration, verification, etc)

I believe this should be included in Gii. Just a simple click and all user authentication and management is setup for you.

No !! :lol:


I think it’s a very good idea to request that the authors/maintainers of those extensions add a gii generator to - well - generate that. :)

We can’t have it in Yii core, as it’s totally dependent on whatever authentication system we’re using.

I Agree!

official package +1

I would be even more useful if the default user has also an implementation for authItems (no management) - this is also a debug issue.

Like, do not set only username => password in key value pairs, make an array structure like,


  1 => array(

    'name' => 'admin',

    'password' => 'secret',

    'authItems' => array(

      'Editor.*', 'Testitem'




I think this should be in the core too.

There are many good ‘user’ modules out there, but how often are they updated, will they work with Yii 2, do they use best practices?

For such a common requirement, better to have it in core functionality so you can forget about it.

From the Yii homepage: "Yii is a high-performance PHP framework best for developing Web 2.0 applications."

From Wikipedia: "A Web 2.0 site allows users to interact and collaborate with each other in a social media dialogue as creators (prosumers) of user-generated content in a virtual community"

The core feature of what makes a website "2.0" (for the record I hate that term) are the users. Without some sort of official extension (Gii module, etc), it is lacking an extremely important aspect of making Web 2.0 website. Automatic CRUD generation + automatic RBAC (or some other form of user auth) generation would be great.

Very good point and I do agree with adding a basic feature like this to the next release just to be able to jump start a project. Also of all those extensions mentioned above, the amount of bugs create more headaches then it solves.

I’m curious about what will change in the authorization in Yii2.

I’m currently working on a successor to my Rights extension. The reason for why I’m writing a new extension is to improve mainly the performance and usability and to correct some mistakes that were made when designing Rights.

Do the Yii team have any plans they would like to share about the future of Yii’s authorization?

I dont think that builtin authorization is a good idea. Django’s out-of-box solution, which was mentioned here, is so inconvenient and hard to customization. I think frameworks should not deal with stuff like authorization. But if they do - things should be abstract as much as possible.

Built-in authorization doesn’t do any harm if it can be bypassed completely and easily. In case of Yii it’s really easy: authorization component won’t even be loaded if you don’t call it explicitly (or implicitly, by access control filters).

Can’t agree more. Abstraction is not the biggest strength of current implementation (it works well in the majority of use cases, though) . When I need a highly customized solution, I have to implement it from scratch. IAuthManager interface makes a bit too much assumptions about implementation details.

I totally agree. The current implementation doesn’t give enough freedom and it feels like it was designed with a single solution in mind.

What’s bad/not enough in current interface?