Yii – User defined rules for Access rights

Posted on January 24, 2012 by Chris Backhouse

  • Yii Articles

  • Blog Subjects

    •  Yii Access Control Rules

    A key part of a web application is access security. Who can see what data, who can do what actions.

    Within Yii the first layer of access security is defined within the controller where access control rules are defined for each action.

    The default access rules created by the code generator in Gii are ;

    1. ‘All Users’ – anybody is allowed to access these functions, which would relate to all visitors to your website
    2. ‘Authenticated User’ – those users which have logged in using whatever user authentication system you have chosen to use
    3. ‘Admin’ User – in fact this means a User called admin rather than any user defined as a super-user!

    However, using other parameters of the accessRules you can setup more advanced security algorithms.

     

    Expression

    The expression property allows you to define a function that will be called resulting in a true or false responses to whether the current user is able to access the listed functions.

    For example, in the following code I have setup a function within the same controller called isAdmin which returns true or false as to whether the current user has super-user pivileges.

     

     PHP |  copy code |? 
    01
    	/**
    02
    	 * Specifies the access control rules.
    03
    	 * This method is used by the 'accessControl' filter.
    04
    	 * @return array access control rules
    05
    	 */
    06
    	public function accessRules()
    07
    	{
    08
    		return array(
    09
    			...
    10
    			array('allow', // allow admin user to perform 'admin' and 'delete' actions
    11
    				'actions'=>array('delete', 'admin'),
    12
    				'expression'=>'Yii::app()->controller->isAdmin()',
    13
    			),
    14
    			...
    15
    		);
    16
    	}

    IP address

    The ips property will restrict access to a certain list of ip addresses:-

     PHP |  copy code |? 
    1
    			array('allow', // allow admin user to perform 'admin' and 'delete' actions
    2
    				'actions'=>array('delete', 'admin'),
    3
    				'ips'=>'127.0.0.1, 192.168.0.1',
    4
    			),

    Further Access Rules

    The Yii documentation mentions other rules as follows:-

     PHP |  copy code |? 
    01
    array(
    02
      'allow',  // or 'deny'
    03
      // optional, list of action IDs (case insensitive) that this rule applies to
    04
      // if not specified, rule applies to all actions
    05
      'actions'=>array('edit', 'delete'),
    06
      // optional, list of controller IDs (case insensitive) that this rule applies to
    07
      'controllers'=>array('post', 'admin/user'),
    08
      // optional, list of usernames (case insensitive) that this rule applies to
    09
      // Use * to represent all users, ? guest users, and @ authenticated users
    10
      'users'=>array('thomas', 'kevin'),
    11
      // optional, list of roles (case sensitive!) that this rule applies to.
    12
      'roles'=>array('admin', 'editor'),
    13
      // optional, list of IP address/patterns that this rule applies to
    14
      // e.g. 127.0.0.1, 127.0.0.*
    15
      'ips'=>array('127.0.0.1'),
    16
      // optional, list of request types (case insensitive) that this rule applies to
    17
      'verbs'=>array('GET', 'POST'),
    18
      // optional, a PHP expression whose value indicates whether this rule applies
    19
      'expression'=>'!$user->isGuest && $user->level==2',
    20
      // optional, the customized error message to be displayed
    21
      // This option is available since version 1.1.1.
    22
      'message'=>'Access Denied.',
    23
    )

    If you have any useful rules, please feel free to share them below…

     

    See also: isAdmin()