Yii2 require all Controller and Action to login
Place this rule in the beginning of the rules
section:
[
'allow' => true,
'roles' => ['@'],
],
Omitting the actions
means all actions.
So your AccessControl
config will be like this:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['@'],
],
// ...
],
],
];
}
Keep in mind that rules are applied in order they are declared.
To do it globally without inheritance, add the as beforeRequest
array below (not inside!) the components
declaration in your application config:
'components' => [ ... ],
'as beforeRequest' => [
'class' => 'yii\filters\AccessControl',
'rules' => [
[
'allow' => true,
'actions' => ['login'],
],
[
'allow' => true,
'roles' => ['@'],
],
],
'denyCallback' => function () {
return Yii::$app->response->redirect(['site/login']);
},
],
This code will run before each request and block all actions except login
for guests.
Make sure that there is no login
action in other controllers than SiteController
. If there are (and for example they are for different purposes), block them explicitly in according controllers. But it's pretty rare case.
Yii2: do not redirect to login for a certain action in controller
You are applying AccessControl
filter twice.
First filter is set for Application
so it is applied for each request with following rules:
- If the action id is "login" or "error" allow any user.
- Allow logged in users
- Deny any other request.
The second filter is for MyCustomController
and it's set to apply only for requests to action live
of that controller with following rules:
- Allow any user who is not logged in.
- Deny any other request.
So when request comes from user who is logged in, the request is stopped by second filter and the 403 error is displayed.
When request comes from guest user it is stopped by first filter and user is redirected to login page.
To allow guests access your action you should add exception to first filter to make sure only second AccessControl
filter is applied:
return [
//...
'as beforeRequest' => [
'class' => 'yii\filters\AccessControl',
'except' => ['my-custom/live'],
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'allow' => true,
'roles' => ['@'],
],
],
],
...
];
Actually, if you are OK with allowing any user to see the my-custom/live
there is no need for the second AccessControl
filter. Just setting the exception in the first (application wide) filter will be enough.
Controller / Action for guest users (Does not require authentication) using Yii2-user
I have solved it as follows.
In my web.php configuration I had this:
'modules' => [
...
],
'as access' => [
'class' => \yii\filters\AccessControl::className(),//AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error', 'request', 'change-password'],
'allow' => true,
'roles' => ['?']
],
[
//'actions' => ['logout', 'index'], // add all actions to take guest to login page
'allow' => true,
'roles' => ['@'],
],
],
],
'params' => [ ... ]
So, I have added this new rule to grant guest users access to all actions of this controller:
[
'controllers' => ['mymodule/my-controller'],
'allow' => true,
],
And that's it.
All Yii2 controller not allow action without login or guest must need login
You need to add below code in common/main.php after components part.
'as beforeRequest' => [ //if guest user access site so, redirect to login page.
'class' => 'yii\filters\AccessControl',
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'allow' => true,
'roles' => ['@'],
],
],
],
Yii2 Allow access to only specific controllers and restrict access to other controller
There are few type of configurations:
1) Block access to whole app (ak backend) with main config:
// ../config/main.php
return [
// ...
'components' => [
// ...
],
'as access' => [
'class' => yii\filters\AccessControl::class,
'except' => ['site/error', 'site/login', 'site/logout'],
'rules' => [
['allow' => true, 'roles' => ['@']],
],
],
];
2) Block access to specific controllers by extending an abstract controller class
use yii\filters\AccessControl;
use yii\web\Controller;
/**
* AbstractSecured controller
*/
abstract class AbstractSecuredController extends Controller
{
/**
* {@inheritdoc}
*/
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::class,
// ...
// rules
]
];
}
}
Now you can extend this controller in your controllers
use yii\helpers\ArrayHelper;
/**
* MyNonPublic controller
*/
class MyNonPublicController extends AbstractSecuredController
{
/**
* {@inheritdoc}
*/
public function behaviors()
{
return ArrayHelper::merge(
parent::behaviors(),
[
// ...
// controller specific behaviors
// you can even rewrite access behavior config
]
);
}
}
3) You can also config ACL
Yii - Allow access to every actions in all controllers to authenticated user
Just omit actions
part from rules as stated here
Related Topics
Save HTML-Formatted Text to Database
How Does Pcntl_Fork Work in PHP
Correct Format for Strings/Numbers Beginning with Zero
Inet_Aton() and Inet_Ntoa() in PHP
Gulp-Webapp Running Browsersync and PHP
Aescrypt Decryption Between iOS and PHP
Root Path Doesn't Work with PHP Include
How to Replace the Text of a Node Using Domdocument
How to Get the Server Path to the Web Directory in Symfony2 from Inside the Controller
Allowing Users to Refresh Browser Without the "Confirm Form Resubmission" Pop-Up
When to Wrap Curly Braces Around a Variable
Difference Between Set_Time_Limit() and Ini_Set('Max_Execution_Time', ...)
Laravel 5 Socialite - Curl Error 77: Error Setting Certificate Verify Locations
Bulletin Board - Database Optimisation
How to Replace the Deprecated Set_Magic_Quotes_Runtime in PHP
PHP - Implement Logging Mechanism to File in Several Classes