As I know simple authentication for REST like in this guide
public function behaviors()
{
$behaviors = parent::behaviors();
$behaviors['authenticator'] = [
'class' => QueryParamAuth::className(),
];
return $behaviors;
}
But I want provide some rules to handle guest access? like access control from authorization guide like this
$behaviors['access'] = [
'class' => AccessControl::className(),
'rules' => [
// allow authenticated users
[
'allow' => true,
'actions' => ['some-action'],
'roles' => ['?'],
],
[
'allow' => true,
'roles' => ['#'],
],
// everything else is denied
],
];
If I access some_guest_action as guest without access-token, it will be fine,
but if I access with access-token, Yii::$app->user->getId() always return null value
My complete code like this
public function behaviors()
{
$behaviors = parent::behaviors();
$behavior['authenticator'] = [
'class' => QueryParamAuth::className(),
];
$behaviors['access'] = [
'class' => AccessControl::className(),
'rules' => [
// allow authenticated users
[
'allow' => true,
'actions' => ['some-action'],
'roles' => ['?'],
],
[
'allow' => true,
'roles' => ['#'],
],
// everything else is denied
],
];
return $behaviors;
}
public function actionSomeAction()
{
return Yii::$app->user->getId();
}
Related
I have this yii2 controller where I want to set Access-Control-Allow-Origin: * header
class DoctorController extends ActiveController
{
public $modelClass = 'api\modules\v1\models\Doctor';
public function behaviors()
{
$behaviors = parent::behaviors();
$behaviors['access'] = [
'class' => \yii\filters\AccessControl::className(),
'rules' => [
[
// All actions
'allow' => true,
'actions' => ['index', 'view'],
],
],
];
return $behaviors;
}
}
Please Help!
You may use this simple code:
header('Access-Control-Allow-Origin: *');
It may be added into one of your controller's action or into beforeAction() of your Controller or other use case (at your discretion according to the logic/architecture of your application).
https://www.yiiframework.com/doc/api/2.0/yii-base-controller#beforeAction()-detail
I have solved it by updating the behaviors() function
public function behaviors()
{
$behaviors = parent::behaviors();
$behaviors['corsFilter'] = [
'class' => \yii\filters\Cors::className(),
'cors' => [
'Origin' => ['*'],
'Access-Control-Request-Method' => ['GET'], // add more
'Access-Control-Request-Headers' => ['*'],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 86400,
],
];
$behaviors['access'] = [
'class' => \yii\filters\AccessControl::className(),
'rules' => [
[
// All actions
'allow' => true,
'actions' => ['index', 'view'], // add more
],
],
];
return $behaviors;
}
Problem
Every custom action redirects back to the login page.
My code
I've extended my custom controller from the dektrium\user\controllers\RegistrationController
My web.php
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
],
],
...
'modules' => [
'user' => [
'class' => 'dektrium\user\Module',
'controllerMap' => [
'registration' => 'app\controllers\user\RegistrationController'
],
],
],
Custom controller
namespace app\controllers\user;
use dektrium\user\controllers\RegistrationController as BaseAdminController;
class RegistrationController extends BaseAdminController
{
public function actionPlan()
{
echo 'Test';
}
}
Overrode methods works good, but each custom action (site.com/user/registration/plan) redirects back to the login page.
If you want change the access control rules you should change properly eg: in your site controller add plan to the rules accessible without authenctication
class SiteController extends Controller
{
/**
* #inheritdoc
*/
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login','plan', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
see this for more http://www.yiiframework.com/doc-2.0/guide-security-authorization.html
http://www.yiiframework.com/doc-2.0/yii-filters-accesscontrol.html
Another implementation
class SiteController extends Controller
{
/**
* #inheritdoc
*/
public function behaviors()
{
$behaviors = [
'access' => [
'rules' => [
[
'actions' => ['login', 'plan', 'error'],
'allow' => true,
],
],
],
];
return ArrayHelper::merge($behaviors, parent::behaviors());
}
}
I have two login systems in my Yii2 application. First is default login system using User table, and second uses sms_account table. In custom controller I've created action for login, actionLogin(). I've added access control for my custom controller, but I'm having problem that when a person is not logged in, it redirects to site/login. I want to change redirect to custom-controller/login URL in Yii2 access control. My code is:
public function behaviors()
{
return [
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login'],
'allow' => false,
'roles' => ['#']
],
[
'actions' => ['home'],
'allow' => true,
'roles' => ['#']
]
]
]
];
}
Can anyone tell me how to change access control URL?
You should simply configure your user component :
'user' => [
// ...
'loginUrl' => ['custom-controller/login'],
],
Read more about yii\web\User::$loginUrl.
And it should be :
[
'actions' => ['login'],
'allow' => true,
'roles' => ['?']
],
Read more about Authorization in Yii2.
This is my updated answer . I thinks it's help you
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['index','logout','client-create'], // your own action which permission the login
'rules' => [
[
'actions' => ['index','logout','client-create'], // your own action which permission the login
'allow' => true,
'roles' => ['#'],
],
],
'denyCallback' => function($rule, $action) {
Yii::$app->response->redirect(['login/login']);
},
],
];
}
Try this code.
Note:roles
[
'actions' => ['home'],
'allow' => true,
'roles' => ['?']
'matchCallback' => function ($rule, $action) {
return $this->redirect('index.php?r=controller/action');
}
]
I added help.php under backend/views/site and I declare a function under SiteController.php to be able to recognize the link
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
public function actionHelp()
{
return $this->render('help');
}
The link is now accessible but it gives me an error
Forbidden(#403) and it says "You are not allowed to perform this action."
Now, I would like to ask if how will I be able to view the web pages that I've created. Thanks in advance.
The problem is related with AccessControl filter.
You can add help action to the this list of allowed actions for example like this:
[
'actions' => ['login', 'error', 'help'],
'allow' => true,
],
You can read more and check how access rules are applied in according documentation section.
How to set flash message in Yii2 after denied access to controller?
Here is how deny access http://www.yiiframework.com/doc-2.0/yii-filters-accesscontrol.html :
public function behaviors()
{
return [
'access' => [
'class' => \yii\filters\AccessControl::className(),
'only' => ['create', 'update'],
'rules' => [
// deny all POST requests
[
'allow' => false,
'verbs' => ['POST']
],
// allow authenticated users
[
'allow' => true,
'roles' => ['#'],
],
// everything else is denied
],
],
];
}
after this it redirects to site/login. how can I make flash message there like "This section is only for registered users"?
Could you try adding a callback for denial? I hope this works:
public function behaviors()
{
return [
'access' => [
'class' => \yii\filters\AccessControl::className(),
'only' => ['create', 'update'],
'rules' => [
// deny all POST requests
[
'allow' => false,
'verbs' => ['POST']
],
// allow authenticated users
[
'allow' => true,
'roles' => ['#'],
],
// everything else is denied
],
'denyCallback' => function ($rule, $action) {
Yii::$app->session->setFlash('error', 'This section is only for registered users.');
Yii::$app->user->loginRequired();
},
],
];
}
Also you can add denyCallback to each rule:
[
'allow' => false,
'roles' => ['#'],
'denyCallback' => function($rule, $action) {
// callback logic
}
]