Yii2-advanced only allow admin to login to backend

Yii 2.0 General Discussions
1

I have a yii2 advanced template app with yii2-user installed and the native yii2 rbac features enabled.

I now want to restrict access to the backend to admins (which is a role) only.

On stackoverflow someone else had the same question: http://stackoverflow.com/questions/27935155/yii2-deny-user-login-on-backend

According to the answers, I have to implement this not with rbac but with acf.

I tried both TomaszKane and Bsienn’s answers. This technically works, but it displays a nasty error message that I don’t want to show my users. I thus tried to modify it and came up with this:


'access' => [

                'class' => AccessControl::className(),

                'denyCallback' => function ($rule, $action) {

                    echo 'you are logged out';

                    //throw new \Exception('You are not allowed to access this page');

                },

                'rules' => [

                    [

                        'actions' => ['logout, index'],

                        'allow' => true,

                        'roles' => ['?'],


                    ],

                    [

                        'actions' => [],

                        'allow' => true,

                        'roles' => ['admin'],

                    ],

                ],

            ],

Now there is another problem I don’t know how to solve. If I login in as a non-admin it says ’ ‘you are logged out’ - even if I try to access user/login I get redirected to the the root and it displays ’ you are logged out’. I first have to delete the yii cookies to be able to access user/login again. What’s causing this and how can I solve this? I want the user to always be able to access user/login.

2

Hmmmmm. I may not need this after all. The siteController actions are login, logout and index, which shows a static information page. I don’t really need to restrict that.

I now created a DefaultBackendController that extends Controller and all my Backend-Controller are now extending from it. In it, I put:




'access' => [

                'class' => AccessControl::className(),


                'rules' => [

                    [

                        'actions' => ['login', 'error'],

                        'allow' => true,

                    ],

                    [

                        'actions' => ['logout', 'index','create','update','view','delete'], // add all actions to take guest to login page

                        'allow' => true,

                        'roles' => ['admin'],

                    ],

                ],

            ],

To restrict access to the backend Controllers to admins only. That’s a safe and ok way to do it, or not?

3

…not enough, because if I have modules in the common I can’t manage exclusive access, can I set the permission on the url? If it ends with / admin then do you only access the ‘admin’ role? Thanks

4

1.I have done this by using this extension.

php composer.phar require --prefer-dist yii2mod/yii2-rbac "*"

2.And by adding this to each controller which are only for admin and manager

'access' => [
               'class' => \yii2mod\rbac\filters\AccessControl::className(),
               'rules' => [
                   [    // all the action are accessible to superadmin, admin and manager
                       'allow' => true,  
                       'roles' => ['admin','manager'],
                   ],   
               ],
           ],

3.It gives forbidden access for other users.

4.Link https://github.com/yii2mod/yii2-rbac