Why can i update user if i block it in access control?

mepihindeveloper · October 31, 2018, 4:59pm

Hello.
I have AdminController which i extend for each controller in admin panel.

public function behaviors()
{
    return [
        'access' => [
            'class' => AccessControl::className(),
            'rules' => [
                [
                    'actions' => ['login'],
                    'allow' => true,
                    'roles' => ['?'],
                ],
                [
                    'actions' => ['delete'],
                    'allow' => true,
                    'roles' => ['admin'],
                ],
                [
                    'allow' => true,
                    'roles' => ['admin', 'editor', 'expert'],
                ],
            ]
        ],
        'verbs' => [
            'class' => VerbFilter::className(),
            'actions' => [
                'logout' => ['get'],
                'delete' => ['POST'],
            ],
        ],
    ]; 
}

Then i create some additions just for users control:

public function behaviors()
{
    return \yii\helpers\ArrayHelper::merge(parent::behaviors(), [
        'access' => [
            'rules' => [
                [
                    'actions' => ['update'],
                    'allow' => true,
                    'roles' => ['admin'],
                ],
                [
                    'actions' => ['view', 'index'],
                    'allow' => true,
                    'roles' => ['editor', 'expert'],
                ],
            ]
        ],
    ]);
}

But if i have role editor i can update users… Why?

alirz23 · October 31, 2018, 5:37pm

hi there, reason why editor is allowed to update is because in your parent controller’s rules you have editor listed with admin in 3rd rule which is allowing admin+editor+expert to update your expert is also able update did you test that, to fix it explicitly set the rules for each role

mepihindeveloper · October 31, 2018, 5:57pm

Hello, thank. How can i declare for all controllers access not for USER?
user: /admin/default/login
admin: *
editor: * but not update for /admin/inf-users/update
expert: view, index for all and update for /admin/some/some
How can i do it? Help please!