Yii2: yii2-admin role / route

Yii 2.0 Extensions
1

hi,

i am using yii2-admin to implement rbac but

i met some difficulties.

i don’t give a route to a user role. but it can access it.

i don’t know why?

i am using basic yii2

in web.php




'authManager' => [

			'class' => 'yii\rbac\DbManager',

			'defaultRoles' => ['guest'],

		],

	'as access' => [

        'class' => 'mdm\admin\components\AccessControl',

        'allowActions' => [

            'site/*',

	    'registration/*',

            'admin/*',

            'some-controller/some-action',

            // The actions listed here will be allowed to everyone including guests.

            // So, 'admin/*' should not appear here in the production, of course.

            // But in the earlier stages of your development, you may probably want to

            // add a lot of actions here until you finally completed setting up rbac,

            // otherwise you may not even take a first step.

        ]

    ],


'modules' => [

      'admin' => [

	//'rights' => [

            'class' => 'mdm\admin\Module',

            'controllerMap' => [

                 'assignment' => [

                    'class' => 'mdm\admin\controllers\AssignmentController',

                    'userClassName' => 'app\models\User',

                    'idField' => 'id_user', // id field of model User

		    'usernameField' => 'login', // username field of model User

                ],

            ],

        //],

	],

        

    ],

im my controller behaviors




 public function behaviors()

    {

        return [

	

	   

            'verbs' => [

                'class' => VerbFilter::className(),

                'actions' => [

                    'delete' => ['post'],

                ],

            ],

            'access' => [

                        'class' => \yii\filters\AccessControl::className(),

                        'only' => ['index','create','update','view'],

                        'rules' => [

                            // allow authenticated users

                            [

                                'allow' => true,

                                'roles' => ['@'								

								/*Users->role_users*/

								], 

                           ],

                            // everything else is denied

							 [

                                'allow' => true,

								'actions' => ['index','view'],

                                'roles' => ['@'],

                            ],

                        ],

                    ],         

        ];

    }
2

[color="#006400"]/* Moved from "General Discussions" to "Extensions" */[/color]

3

You should modify this part of the configuration:




'authManager' => [

    ...

        'allowActions' => [

            'site/*',

	    'registration/*',

            'admin/*',

            'some-controller/some-action',

            // The actions listed here will be allowed to everyone including guests.

            // So, 'admin/*' should not appear here in the production, of course.

            // But in the earlier stages of your development, you may probably want to

            // add a lot of actions here until you finally completed setting up rbac,

            // otherwise you may not even take a first step.

        ]

    ],

Also, you should delete this part, since you are using yii2-admin as the access controlling filter:




 public function behaviors()

    {

        return [

	...

            'access' => [

                        'class' => \yii\filters\AccessControl::className(),

                        'only' => ['index','create','update','view'],

                        'rules' => [

                            // allow authenticated users

                            [

                                'allow' => true,

                                'roles' => ['@'								

								/*Users->role_users*/

								], 

                           ],

                            // everything else is denied

							 [

                                'allow' => true,

								'actions' => ['index','view'],

                                'roles' => ['@'],

                            ],

                        ],

                    ],         

        ];

    }
4

i am doing like this




'as access' => [

        'class' => 'mdm\admin\components\AccessControl',

        'allowActions' => [

            'site/*',

	    'registration/*',

           // 'admin/*',

	    //'filiere-etab/*',

	   // 'some-controller/some-action',

            // The actions listed here will be allowed to everyone including guests.

            // So, 'admin/*' should not appear here in the production, of course.

            // But in the earlier stages of your development, you may probably want to

            // add a lot of actions here until you finally completed setting up rbac,

            // otherwise you may not even take a first step.

        ]

    ],

'modules' => [

      'admin' => [

	//'rights' => [

            'class' => 'mdm\admin\Module',

            'controllerMap' => [

                 'assignment' => [

                    'class' => 'mdm\admin\controllers\AssignmentController',

                    'userClassName' => 'app\models\User',

                    'idField' => 'id_user', // id field of model User

		    'usernameField' => 'login', // username field of model User

                ],

            ],

        //],

	],

        

    ],


 public function behaviors()

    {

        return [

            'verbs' => [

                'class' => VerbFilter::className(),

                'actions' => [

                    'delete' => ['post'],

                ],

            ],

           

        ];

    }

in role "user" i delete access to route in this controller but when i click i can access

5

Please use the "code" tag.

Please be specific. What controller and what action?

6

Hi,

this is my action in my controller

public function actionUpdate($id)

{


   if(Yii::$app->user->can('etab')){


   $isStudent = Yii::$app->session->get('user_id'); //echo $isStudent;


    $mode= FiliereEtab::find()->andWhere(['id_etab'=>$isStudent])->one();


$id = $mode->id_fil;


$model = $this->findModel($id);





    if ($model->load(Yii::$app->request->post()) && $model->save()) {


        return $this->redirect(['view', 'id' => $model->id_fil]);


    } else {


        return $this->render('update', [


            'model' => $model,


        ]);


    }


}


}

if the user don’t have etab role he can’t access on this action

but when i want to implement the route restriction

for example, for etab role i denied those routes

/controller/*

/controller/update

but the user who have a etab role, can access to this route!

7

I have to repeat it again, PLEASE USE THE CODE TAG. I beg you, please.

I don’t understand.

Do you want to allow update action to the user with ‘etab’ role? Or do you want to deny it?

8
9

It’s not the code tag, but the quotation tag.

You see "<>" button on the toolbar of the editor which has "Insert code snippet" hint.

Anyway, I don’t understand whether you want to allow or not.