Yii2-advanced only allow admin to login to backend


(Aeschlimann Mathias) #1

I have a yii2 advanced template app with yii2-user installed and the native yii2 rbac features enabled.

I now want to restrict access to the backend to admins (which is a role) only.

On stackoverflow someone else had the same question: http://stackoverflow.com/questions/27935155/yii2-deny-user-login-on-backend

According to the answers, I have to implement this not with rbac but with acf.

I tried both TomaszKane and Bsienn’s answers. This technically works, but it displays a nasty error message that I don’t want to show my users. I thus tried to modify it and came up with this:


'access' => [

                'class' => AccessControl::className(),

                'denyCallback' => function ($rule, $action) {

                    echo 'you are logged out';

                    //throw new \Exception('You are not allowed to access this page');

                },

                'rules' => [

                    [

                        'actions' => ['logout, index'],

                        'allow' => true,

                        'roles' => ['?'],


                    ],

                    [

                        'actions' => [],

                        'allow' => true,

                        'roles' => ['admin'],

                    ],

                ],

            ],

Now there is another problem I don’t know how to solve. If I login in as a non-admin it says ’ ‘you are logged out’ - even if I try to access user/login I get redirected to the the root and it displays ’ you are logged out’. I first have to delete the yii cookies to be able to access user/login again. What’s causing this and how can I solve this? I want the user to always be able to access user/login.


(Aeschlimann Mathias) #2

Hmmmmm. I may not need this after all. The siteController actions are login, logout and index, which shows a static information page. I don’t really need to restrict that.

I now created a DefaultBackendController that extends Controller and all my Backend-Controller are now extending from it. In it, I put:




'access' => [

                'class' => AccessControl::className(),


                'rules' => [

                    [

                        'actions' => ['login', 'error'],

                        'allow' => true,

                    ],

                    [

                        'actions' => ['logout', 'index','create','update','view','delete'], // add all actions to take guest to login page

                        'allow' => true,

                        'roles' => ['admin'],

                    ],

                ],

            ],

To restrict access to the backend Controllers to admins only. That’s a safe and ok way to do it, or not?


(Pellicanipasquale) #3

…not enough, because if I have modules in the common I can’t manage exclusive access, can I set the permission on the url? If it ends with / admin then do you only access the ‘admin’ role? Thanks