Yii2 roles and users - yii2

Can I statically define roles in authManager (in defaultRoles array in config) and assign them to users so behavior rules define access to actions?
As i have certain roles, I don't want to use auth_assignment and auth_item and ...
Assuming I create column in user table for role and every user has one role and roles are define in config file.
In fact I want to build access rules like 'admin' for users who are admin (Where yii says '#' for authenticated user and '?' for guest).


First create your roles somewhere like params then behaviors function can manage authentication easily
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'except' => [''],//or only
'rules' => [
[
'allow' => true,
'actions' => ['deletepic', 'regenerate'],
'matchCallback' => function ($rule, $action) {
return (myAuth(['root','admin']));
}
],
],
],
];
}
myAuth() will check current user role and return true if they role match requested action.

Related

define access role to all user (user,guest,admin,..) in yii2

I use rbac (dektrium) and ACF to check to access users in my project (yii2). I created some role for example :admin, manager, suser,user,.. I have some actions that all user can use its for example view action. how can define in behaviors method that all user can use view action?
To do this we assigned actions to user '*' in yii1.
...
array('allow', // allow all users to perform 'index' and 'view' actions
'actions'=>array('view'),
'users'=>array('*'),
),
...
in yii2 use this code ()
...
[
'allow' => true,
'actions' => ['view'],
'roles' => ['?'],
],
...
but when admin user or manager user want to access to myController/view shows forbidden. only guests can access to myController/view, how can define a role or access to access to all user by default?

If you want to allow everyone to access action then there is no need to apply access filter for that action. To avoid applying access filter for specific actions you can use $except property of yii\filters\AccessControl. For example like this:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'except' => ['view'],
'rules' => [
//rules for other actions ...
]
],
//other behaviors ...
];
}
Other option would be to use a combination of roles ? (guests) and # (all logged in users) like this:
[
'allow' => true,
'actions' => ['view'],
'roles' => ['?', '#'],
]
There is also $only property in yii\filters\AccessControl that allows to apply filter only to explicitly named actions. But it's better to use $except for security reasons.
Resources:
yii\filters\AccessControl
yii\filters\AccessRule::$roles

How to set separate homeUrl for authenticated users and guests in yii2

I'm wondering is it possible to make different homeUrl for authenticated and guest users? I have such rules in SiteController.php
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['logout', 'signup'],
'rules' => [
[
'actions' => ['signup'],
'allow' => true,
'roles' => ['?'],
'denyCallback' => function() {
return $this->redirect('/account');
}
],
[
'actions' => ['logout', 'condition'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}

That shouldn't be much of a problem. My answer is structured as follows:
Config for guest users
Config for logged in users (overwriting)
Alternatives
1. Config for guest users
This one is easy. Simply set the home URL to whatever you want your guest visitors to land on. Put this in your config:
//...
'homeUrl'=>'site/home-guests',
//...
2. Config for logged in users (overwriting)
A login happens on each and every page-load either via form submission, cookie (remember me), session or access token. You won't notice this since it happens automatically except for the actual form-login.
The yii\web\User-class has an event which will be triggered after every login. Its called yii\web\User::EVENT_AFTER_LOGIN. You can find the doc for the triggering method here.
To fulfill your requirement simply extend the user class and within the init()-method attach an event handler. If the event mentioned gets thrown, change the home URL. Done!
Heres the code of the custom user class:
class User extends \yii\web\User {
//...
public function init() {
parent::init();
//listen to after login event
$this->on(static::EVENT_AFTER_LOGIN, function ($event) {
Yii::$app->setHomeUrl(Url::to(['site/home-logged-in']));
});
}
//...
}
For Yii to use your custom and extended class, simply tell it to within the config:
//...
'user'=>[
'class'=>'app\components\User',
],
//...
3. Alternatives
If it's not about the URL but simply to show the users different contents depending on their login-status you have other / easier options:
show a different view when logged in but use the same action
redirect them within the action method
if/else within the actual home-view
Which one is right depends on your detailed requirement. This is difficult to tell with the information you provided.
Tell me if you have further questions. I'll be happy to help!

how to limit access url view on yii2 by id

I am basically a PHP developer & learning Yii2. I am working on web application that has account based login system. Like the way i was doing in PHP web applications, i want to stop another user from accessing the view if he/she is not authenticated. Its like if someone tries to access url(any related URL) externally:
www.example.com/permintaanbarang/index.php?r=user/view&id=1
chage to
www.example.com/permintaanbarang/index.php?r=user/view&id=2 by another user
At that time that person should be redirected to login page or Notice NotFound 404 as that person is not authorized to access account based page directly.
What are the directions to implement this in MVC framework???

A simple way for controlling access and avoid to guest user (not authenticated) to access is use filter for access control
<?php
namespace yourapp\controllers;
use Yii;
use yii\filters\AccessControl;
use yii\web\Controller;
use common\models\LoginForm;
use yii\filters\VerbFilter;
/**
* Site controller
*/
class SiteController extends Controller
{
/**
* #inheritdoc
*/
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
In this sample you can see that you can configure the action you can access ofr all and for authenticated #
You can find useful this guide http://www.yiiframework.com/doc-2.0/guide-security-authorization.html and this reference http://www.yiiframework.com/doc-2.0/yii-filters-accesscontrol.html
In Yii2 you can also use a RBAC authrization component for define class of user and grant to this class specific accessing rules ..
and you can also check programmaticaly the RABC Auth for specific need eg:
if (!Yii::$app->user->isGuest) { // if the user is authenticated (not guest)
if ( Yii::$app->User->can('admin') ){ // if the role is admin
.....
you app code

There are AccessControlFilters for doing this

yii2 acf and rbac collaboration

Anyone know how to collaborate ACF and RBAC in yii2? i just want to add role name (ie: admin, contributors, editors) in my code:
'access' => [
'class' => AccessControl::className(),
'only' => ['logout', 'signup', 'try','about'],
'rules' => [
[
'actions' => ['try'],
'allow' => true,
'roles' => ['?','admin','editors'],
],
],
]

You can simply create proper permission in your rbac module (the rbac rule are not mandatory) and the set in your acf the action allow or deny to the permission create .. then the user assigned to this premission or group of permissions can accessing the action allowed ..
You can also test the permession for the user in you code
eg. assuming there is a set of users whit permissione manageUser you can test this way
if (Yii::$app->User->can('manageUser')) {
// your code for who ca manage user
}

Problems with Yii2 Rules creation

I have a Yii2 with Yii2 admin, user andAdminLTE installed. My problem is I don't know how to create rules, actually I don't know how to define the Class Name. Where "Classes" should be defined? How can I see which Classes do I have or add Classes?
Thanks a lot,

I don't know what is that module that you use but i know how to define rules for controller.please open a controller for example : mycontroller.
when you want create a rule for action in your mycontroller you should use the 'behaviors' function as you can see in bellow.
class MyController extends Controller {
public function behaviors() {
return [
'access' => [
//you can use this class is use for every controller "AccessControl::className()"
'class' => AccessControl::className(),
// use this rules just for these two actions(logout and signup)
'only' => ['logout', 'signup'],
//this is your rules for your controller's actions
'rules' => [
[
'actions' => ['signup'],
'allow' => true,
// '?' is the default roles in yii2
'roles' => ['?'],
],
[
'actions' => ['logout'],
'allow' => true,
// '#' is the default roles in yii2
'roles' => ['#'],
],
],
],
];
}
i have two actions in this controller 'signup','logout'and i give roles to every actions.i give ? role to sign up and # role to logout.
? roles:means every user with out login can see this action.
# roles:means every user with login cans see this action.
as you can see the class in rules definition is static and you don't need to specify class you can just can use AccessControl::className() in your code.
best regards