I would like to restrict access to a controller to only one IP (or an IP list).
What is the right way to configure?
(Example, I would like only IP 172.19.37.175 to have access to index.php?r=painel/restrict).
I tried this way:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::classname(),
'only' => ['index'],
'rules' => [
[
'allow' => true,
'roles' => ['?'],
'ips' => ['172.19.37.175'],
],
],
'denyCallback' => function ($rule, $action) {
throw new \Exception('You are not allowed to access this page');
}
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
];
}
change
'roles' => ['?']
to
'roles' => ['#']
Related
i have two type of user in my project.
1.user
2.admin
i defined module for each one of them.
module name for user = users/default/login
module name for admin = adclash/default/login
when i login with adclash/default/login i should have access only to all adclash controllers but also i have access to all controllers in another module(users) to.(if i login with adclash when i shouldnt have access to users module)
whats wrong?
define my users in web.php :
'user'=>[
'class'=>'yii\web\User',
'identityClass' => 'app\models\User',
'enableAutoLogin' => false,
'authTimeout' => 60*60,
'loginUrl' => ['users/default/login'],
'identityCookie' => [
'name' => '_panelUser',
]
],
'admin'=>[
'class'=>'yii\web\User',
'identityClass' => 'app\models\Admin',
'enableAutoLogin' => false,
'authTimeout' => 60*30,
'loginUrl' => ['adclash/default/login'],
'identityCookie' => [
'name' => '_panelAdmin',
]
],
and this my defaultControllers source:
adclah module:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'user'=>'admin', // this user object defined in web.php
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'allow' => true,
'roles' => ['#'],
],
],
],
];
}
users module:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'user'=>'user', // this user object defined in web.php
'rules' => [
[
'actions' => ['login', 'error','signup'],
'allow' => true,
],
[
'allow' => true,
'roles' => ['#'],
],
],
],
];
}
I have AdminController with behavior:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login'],
'allow' => true,
'roles' => ['*'],
],
[
'actions' => ['index', 'logout'],
'allow' => true,
'roles' => ['admin', 'editor', 'expert'],
],
[
'actions' => ['update', 'delete'],
'allow' => true,
'roles' => ['admin'],
]
]
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['get'],
],
],
];
}
Then i create child controllers for:
default controller
inf-courses controller
and other
How can i use rules on parent (AdminController) then its working?
If i add similar rules in deafult it works, but globally not.
P.S. I do admin panel and want next:
- any one can try to login
- access to admin pane: ['admin', 'editor', 'expert']
- logout can only ['admin', 'editor', 'expert']
It's globally rules for all module admin with parent AdminController.
Thank.
If you extend controller and then override behaviors() then you make sure to include parent's behaviors like this:
return ArrayHelper::merge(parent::behaviors(), [
// your behaviors here
]);
Done!
I make my AdminController like:
class AdminController extends Controller {
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['admin', 'editor', 'expert'],
],
[
'actions' => ['login'],
'allow' => true,
'roles' => ['?'],
],
[
'actions' => ['delete'],
'allow' => true,
'roles' => ['admin'],
]
]
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['get'],
],
],
];
}
}
And extends it for each controller in admin
Learning about behaviour of a controller.
In this controller, I got a lot of action that should be access after login.
How can I make one special action in this controller without login ?
I just try it, not succces. This is my code.
class RequestController extends Controller {
public function behaviors() {
return [
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
'bulk-delete' => ['post'],
],
],
'access' => [
'class' => AccessControl::className(),
'only' => ['approve'], /*Special action*/
'rules' => [
[
'actions' => ['approve'],
'allow' => false,
'roles' => ['?'],
],
],
],
];
}
Please advise.
You need use in rules
'allow' => true, this is described here:
Yii2 authorization
You should assign
'access' => [
'class' => AccessControl::className(),
'only' => ['approve'], /*Special action*/
'rules' => [
[
'actions' => ['approve'],
'allow' => true,
'roles' => ['?'],
],
],
],
I tried finding out from the documentation but it is not mentioned and from this answer here it should work fine with REST API. Here is my code which returns status code 401 whenever I do not send access token with my request.
public function behaviors()
{
return [
'compositeAuth' => [
'class' => CompositeAuth::className(),
'authMethods' => [
QueryParamAuth::className(),
],
],
'access' => [
'class' => AccessControl::className(),
'only' => ['index', 'logout'],
'rules' => [
[
'actions' => ['index'],
'allow' => true,
'roles' => ['?'],
],
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
Both actionIndex and actionLogout require access token on my query though I want only logout to do this. My controller extends my base class which extends \yii/rest/Controller
I've tried to add menu map in backend-side. I use yii2-advanced. This is my “controller” code:
public function actionMap()
{
return $this->render('map');
}
But, when I try to access it with this url http://localhost/yii2advanced/backend/web/index.php?r=site/map, I've got error message Forbidden (#403) - You are not allowed to perform this action. I don't understand why I got this error message, can anybody help me to fix this problem?
It's caused by AccessControl. Most likely the action map is blocked according to access rules. Example of allowing it for all authenticated users:
/**
* #inheritdoc
*/
public function behaviors()
{
return [
'access' => [
'class' => \yii\filters\AccessControl::className(),
'only' => ['create', 'update'],
'rules' => [
// allow authenticated users
[
'allow' => true,
'roles' => ['#'],
],
// everything else is denied
],
],
];
}
Alternatively you can adjust access according to some RBAC roles.
In addition to the arogachev's answer:
Paste it in your site controller:
public function behaviors() {
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['#'],
],
[
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}