This is backend SiteController.php access rules. When I going through this url site.com/backend/web/site/login. Its showing Forbidden (#403).
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index', 'addhotels'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
An Error occurred while handling another error: exception
'yii\web\ForbiddenHttpException' with message 'You are not allowed to
perform this action.' in
C:\wamp\www\k\kometonline\vendor\yiisoft\yii2\filters\AccessControl.php:151
I was getting this error too and found this page through Google so hopefully this will help other people.
The error happens because you've added access control but you also need to explicitly allow the 'error' action in the site controller otherwise you'll get the same error. It's not immediately obvious because there isn't an action for it, also add the 'captcha' action, or you'll get the same problem with that.
In your site controller:
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['register','login'],
'allow' => true,
'roles' => ['?'],
],
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['#'],
],
[
//see captcha and error added here, this fixes the issue
'actions' => ['contact', 'about', 'terms', 'forgot', 'reset-password', 'captcha', 'error'],
'allow' => true,
'roles' => ['?', '#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
You need to remove login action from AccessControl list. or add ? as roles for guest user in AccessControl.
For Example,
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
'roles' => ['?'], // " ? " for guest user
],
[
'actions' => ['logout', 'index', 'addhotels'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
I would also like to know how to allow non-logged in users to not receive Forbidden error in Backend. I am simply trying to renderPartial a test view with a single
<h1>Test</h1>
and I receive the Forbidden error.
Maybe you are already logged in as a user while trying to access the login page. This will throw a ForbiddenHttpException. Or you can customize this behavior by configuring the denyCallback property:
[
'class' => AccessControl::className(),
'rules' => [...],
'denyCallback' => function ($rule, $action) {
//Add your error handler here
throw new \Exception('You are not allowed to access this page');
}
]
See official guide/documentation here
Related
Learning about behaviour of a controller.
In this controller, I got a lot of action that should be access after login.
How can I make one special action in this controller without login ?
I just try it, not succces. This is my code.
class RequestController extends Controller {
public function behaviors() {
return [
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
'bulk-delete' => ['post'],
],
],
'access' => [
'class' => AccessControl::className(),
'only' => ['approve'], /*Special action*/
'rules' => [
[
'actions' => ['approve'],
'allow' => false,
'roles' => ['?'],
],
],
],
];
}
Please advise.
You need use in rules
'allow' => true, this is described here:
Yii2 authorization
You should assign
'access' => [
'class' => AccessControl::className(),
'only' => ['approve'], /*Special action*/
'rules' => [
[
'actions' => ['approve'],
'allow' => true,
'roles' => ['?'],
],
],
],
When I logged in backend admin panel. It works fine but when I visit the link (eg: site.com/backend/web/site/manage-country) first time it won't show any error. If I visit the same link second time. It redirected to site.com and show this error.
exception 'yii\web\ForbiddenHttpException' with message 'You are not
allowed to perform this action.' in
/home/kometonl/public_html/demo/vendor/yiisoft/yii2/filters/AccessControl.php:151
After clearing the cookies. I'll get the normal site back.
backend/controllers/SiteControllers.php
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index','manageCountry'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
backend/config/main.php
'urlManager'=> [
'class' => 'yii\web\UrlManager',
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
'site/manage-country' => 'site/managecountry',]
],
Change Your Behaviour As
[
'actions' => ['logout', 'index','managecountry'],
'allow' => true,
'roles' => ['#'],
],
in SiteController
public function actionManagecountry(){
echo 'hi';
}
I tried finding out from the documentation but it is not mentioned and from this answer here it should work fine with REST API. Here is my code which returns status code 401 whenever I do not send access token with my request.
public function behaviors()
{
return [
'compositeAuth' => [
'class' => CompositeAuth::className(),
'authMethods' => [
QueryParamAuth::className(),
],
],
'access' => [
'class' => AccessControl::className(),
'only' => ['index', 'logout'],
'rules' => [
[
'actions' => ['index'],
'allow' => true,
'roles' => ['?'],
],
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
Both actionIndex and actionLogout require access token on my query though I want only logout to do this. My controller extends my base class which extends \yii/rest/Controller
I've tried to add menu map in backend-side. I use yii2-advanced. This is my “controller” code:
public function actionMap()
{
return $this->render('map');
}
But, when I try to access it with this url http://localhost/yii2advanced/backend/web/index.php?r=site/map, I've got error message Forbidden (#403) - You are not allowed to perform this action. I don't understand why I got this error message, can anybody help me to fix this problem?
It's caused by AccessControl. Most likely the action map is blocked according to access rules. Example of allowing it for all authenticated users:
/**
* #inheritdoc
*/
public function behaviors()
{
return [
'access' => [
'class' => \yii\filters\AccessControl::className(),
'only' => ['create', 'update'],
'rules' => [
// allow authenticated users
[
'allow' => true,
'roles' => ['#'],
],
// everything else is denied
],
],
];
}
Alternatively you can adjust access according to some RBAC roles.
In addition to the arogachev's answer:
Paste it in your site controller:
public function behaviors() {
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['login', 'error'],
'allow' => true,
],
[
'actions' => ['logout', 'index'],
'allow' => true,
'roles' => ['#'],
],
[
'allow' => true,
'roles' => ['#'],
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
My access control code is not working on the modules default controller, but on all other pages it is working fine. Any idea what i am doing wrong?
EDIT: What is happening is : ../web/mymodule does not redirect but ../web/mymodule/mycontroller does. Also if o try ../web/mymodule/default it does not work also.
EDIT 2: Solved. The problem was with the public function beforeAction($action)
public function behaviors()
{
return [
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['post'],
],
],
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'allow' => true,
'roles' => ['#'],
],
],
],
];
}
Seems you don't control the action. Try this in SiteController:
return [
'access' => [
'class' => AccessControl::className(),
'only' => ['logout', 'signup'],
'rules' => [
[
'actions' => ['signup'],
'allow' => true,
'roles' => ['?'],
],
[
'actions' => ['logout'],
'allow' => true,
'roles' => ['#'],
],
],
],
],
'verbs' => [
..............
],
];