Why can i update user if i block it in access control?

Hello.
I have AdminController which i extend for each controller in admin panel.

public function behaviors()
{
    return [
        'access' => [
            'class' => AccessControl::className(),
            'rules' => [
                [
                    'actions' => ['login'],
                    'allow' => true,
                    'roles' => ['?'],
                ],
                [
                    'actions' => ['delete'],
                    'allow' => true,
                    'roles' => ['admin'],
                ],
                [
                    'allow' => true,
                    'roles' => ['admin', 'editor', 'expert'],
                ],
            ]
        ],
        'verbs' => [
            'class' => VerbFilter::className(),
            'actions' => [
                'logout' => ['get'],
                'delete' => ['POST'],
            ],
        ],
    ]; 
}

Then i create some additions just for users control:

public function behaviors()
{
    return \yii\helpers\ArrayHelper::merge(parent::behaviors(), [
        'access' => [
            'rules' => [
                [
                    'actions' => ['update'],
                    'allow' => true,
                    'roles' => ['admin'],
                ],
                [
                    'actions' => ['view', 'index'],
                    'allow' => true,
                    'roles' => ['editor', 'expert'],
                ],
            ]
        ],
    ]);
}

But if i have role editor i can update users… Why?

hi there, reason why editor is allowed to update is because in your parent controller’s rules you have editor listed with admin in 3rd rule which is allowing admin+editor+expert to update your expert is also able update did you test that, to fix it explicitly set the rules for each role

1 Like

Hello, thank. How can i declare for all controllers access not for USER?
user: /admin/default/login
admin: *
editor: * but not update for /admin/inf-users/update
expert: view, index for all and update for /admin/some/some
How can i do it? Help please!