I am using Yii2 (basic) and Yii2-user for a website with users. For most actions it's necessary to be authenticated. How could I make a controller / action accessible as a guest?
I have tried things like this in the guest's controller:
'rules' => [
[
'allow' => true,
'actions' => ['index', 'confirm', 'download-form', 'upload-form'],
]
],
And this should be enough. But nope. I suspect that it is Yii2-user module who gets in the way and always redirects me to login.
And I have added the module in the web.php configuration like this:
'components' => [
...
...
'user' => [
'class' => 'nkostadinov\user\components\User',
'identityClass' => 'nkostadinov\user\models\User',
'enableConfirmation' => false,
'as firstLoginPolicy' => [
'class' => 'nkostadinov\user\behaviors\FirstLoginPolicyBehavior'
],
],
],
Any idea?
I have solved it as follows.
In my web.php configuration I had this:
'modules' => [
...
],
'as access' => [
'class' => \yii\filters\AccessControl::className(),//AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error', 'request', 'change-password'],
'allow' => true,
'roles' => ['?']
],
[
//'actions' => ['logout', 'index'], // add all actions to take guest to login page
'allow' => true,
'roles' => ['#'],
],
],
],
'params' => [ ... ]
So, I have added this new rule to grant guest users access to all actions of this controller:
[
'controllers' => ['mymodule/my-controller'],
'allow' => true,
],
And that's it.
i suggest you to use mdmsoft/yii2-admin for authentication
Related
i have a problem verifying the permissions that a user has on the actions (Exm: index, create, update, etc.) within the controller, I use the following code to verify the permissions that the user has:
My Controller:
backend/modules/content/controllers/ArticleController.php
$behaviors['access'] = [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['#'],
'matchCallback' => function ($rule, $action) {
$module = Yii::$app->controller->module->id;
$action = Yii::$app->controller->action->id;
$controller = Yii::$app->controller->id;
$route = "$module/$controller/$action";
$post = Yii::$app->request->post();
if (\Yii::$app->user->can($route)) {
return true;
}
}
]
]
];
With this code I get the route (Exm:content/article/index) which will be validated to know if you have the permission.
Updating
I have noticed that the problem is generated in 'as globalAccess' (backend/config/web.php), when I deactivate the global access it can validate the permissions, but when I have global access all users have full access, but disabling it brings other problems .
'as globalAccess' => [
'class' => common\behaviors\GlobalAccessBehavior::class,
'rules' => [
[
'controllers' => ['sign-in'],
'allow' => true,
'roles' => ['?'],
'actions' => ['login'],
],
[
'controllers' => ['sign-in'],
'allow' => true,
'roles' => ['#'],
'actions' => ['logout'],
],
[
'controllers' => ['site'],
'allow' => true,
'roles' => ['?', '#'],
'actions' => ['error'],
],
[
'controllers' => ['debug/default'],
'allow' => true,
'roles' => ['#'],
],
[
'allow' => true,
'roles' => ['#'],
],
],
],
the problem is that validation does not work, the only way it works is to add a rule in global access that allows me to grant permissions to roles, but it would be default:
[
'controllers' => ['article'],
'allow' => true,
'roles' => ['administrator'],
],
[
'controllers' => ['article'],
'allow' => false,
],
or go adding the function in each action Yii::$app->user->can(..) in each action
if (\Yii::$app->user->can('content/article/index')) {
.. code index ..
} else {
throw new ForbiddenHttpException
}
In the ideal case, you don't have to be adding the function Yii::$app->user->can(..) to each action or add a default rule in global access.I hope can support me
I want to call some actions only when user is logged in.
How to do it without checking the user login status every time?
You will need to add a behaviors() method to your controller such as :
public function behaviors()
{
return [
'access' => [
'class' => \yii\filters\AccessControl::className(),
'only' => ['login', 'logout', 'signup'],
'rules' => [
[
'allow' => true,
'actions' => ['login', 'signup'],
'roles' => ['?'],
],
[
'allow' => true,
'actions' => ['logout'],
'roles' => ['#'],
],
],
],
];
}
The roles defined above are # for all users that are logged in and ? for all users that aren't logged in. In your case you will be interrested in setting the role to #.
You can of course replace these with any rbac roles/permissions.
Here's more information on authorization from the Yii2 guide
I am using access control to allow the access to only authenticated users.
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['display'],
'rules' => [
// allow authenticated users
[
'allow' => true,
'roles' => ['#'],
'matchCallback' => function ($rule, $action) {
return $this->redirect(Yii::$app->request->baseUrl.'/site/login');
}],
],
],
];
}
public function actionDisplay()
{
echo "display";
}
When i try to access the display action while not logging in i am redirected to login page. But when i try to access the display action even with logged in it is redirecting to index page. what am i doing wrong?
add 'actions' => [ 'display'],
like below
'rules' => [
// allow authenticated users
[
'actions' => [ 'display'],
'allow' => true,
'roles' => ['#'],
'matchCallback' => function ($rule, $action) {
return $this->redirect(Yii::$app->request->baseUrl.'/site/login');
}],
],
normally it work for me
Nothing was wrong with the code. just 'matchCallback' which is called to the authenticated user and redirected to login which eventually redirects to index if logged in.
Removing the 'matchCallback' solved it.
'rules' => [
[
'allow' => true,
'roles' => ['#'],
],
],
This is backend SiteController.php access rules. When I going through this url site.com/backend/web/site/login. Its showing Forbidden (#403).
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index', 'addhotels'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
An Error occurred while handling another error: exception
'yii\web\ForbiddenHttpException' with message 'You are not allowed to
perform this action.' in
C:\wamp\www\k\kometonline\vendor\yiisoft\yii2\filters\AccessControl.php:151
I was getting this error too and found this page through Google so hopefully this will help other people.
The error happens because you've added access control but you also need to explicitly allow the 'error' action in the site controller otherwise you'll get the same error. It's not immediately obvious because there isn't an action for it, also add the 'captcha' action, or you'll get the same problem with that.
In your site controller:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['register','login'],
'allow' => true,
'roles' => ['?'],
],
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['#'],
],
[
//see captcha and error added here, this fixes the issue
'actions' => ['contact', 'about', 'terms', 'forgot', 'reset-password', 'captcha', 'error'],
'allow' => true,
'roles' => ['?', '#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
You need to remove login action from AccessControl list. or add ? as roles for guest user in AccessControl.
For Example,
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
'roles' => ['?'], // " ? " for guest user
],
[
'actions' => ['logout', 'index', 'addhotels'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
I would also like to know how to allow non-logged in users to not receive Forbidden error in Backend. I am simply trying to renderPartial a test view with a single
<h1>Test</h1>
and I receive the Forbidden error.
Maybe you are already logged in as a user while trying to access the login page. This will throw a ForbiddenHttpException. Or you can customize this behavior by configuring the denyCallback property:
[
'class' => AccessControl::className(),
'rules' => [...],
'denyCallback' => function ($rule, $action) {
//Add your error handler here
throw new \Exception('You are not allowed to access this page');
}
]
See official guide/documentation here
In Yii2 advanced template, they have the signup components for new users in the frontend.
I want to put that signup process into the /backend so that only admin users can create other new users.
So in moving SignupForm, signup view, adding the Signup action to the backend/SiteController, I'm getting 403 error "You are not allowed to perform this action".
Has anyone been able to put the signup process into the backend of the advanced template in Yii2 ?
What I want to do is have admin users create the new user and give the login details to the external party. The external party would then be advised to run the Password Reset, in order to set their own password. But effectively, its locking down the registration/signup process.
Its nothing that should stop you from making this work. But will need to change a few things along the way.
First off, I guess your error message comes from the AccessControl that the backend SiteController has:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
Change this to:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index', 'signup'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
Orelse this will result in the error message:
Forbidden (#403)
You are not allowed to perform this action.
Remember that the signup function is made for guests registering, and that it automatically out-of-the box log the user in when the account is created.
You have to remove this feature, and you might encounter some other bugs along the way.
Good Luck.