AccessControl.php 4.83 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
 * @link
 * @copyright Copyright (c) 2008 Yii Software LLC
 * @license

namespace yii\web;

use Yii;
use yii\base\Action;
use yii\base\ActionFilter;

15 16 17 18 19
 * AccessControl provides simple access control based on a set of rules.
 * AccessControl is an action filter. It will check its [[rules]] to find
 * the first rule that matches the current context variables (such as user IP address, user role).
 * The matching rule will dictate whether to allow or deny the access to the requested controller
 * action. If no rule matches, the access will be denied.
21 22 23 24 25 26 27 28
 * To use AccessControl, declare it in the `behaviors()` method of your controller class.
 * For example, the following declarations will allow authenticated users to access the "create"
 * and "update" actions and deny all other users from accessing these two actions.
 * ~~~
 * public function behaviors()
 * {
Alexander Makarov committed
29 30
 *     return [
 *         'access' => [
 *             'class' => \yii\web\AccessControl::className(),
Alexander Makarov committed
32 33
 *             'only' => ['create', 'update'],
 *             'rules' => [
 *                 // deny all POST requests
Alexander Makarov committed
 *                 [
 *                     'allow' => false,
Alexander Makarov committed
37 38
 *                     'verbs' => ['POST']
 *                 ],
 *                 // allow authenticated users
Alexander Makarov committed
 *                 [
 *                     'allow' => true,
Alexander Makarov committed
42 43
 *                     'roles' => ['@'],
 *                 ],
 *                 // everything else is denied
Alexander Makarov committed
45 46 47
 *             ],
 *         ],
 *     ];
48 49
 * }
 * ~~~
50 51 52 53 54 55
 * @author Qiang Xue <>
 * @since 2.0
class AccessControl extends ActionFilter
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
     * @var callable a callback that will be called if the access should be denied
     * to the current user. If not set, [[denyAccess()]] will be called.
     * The signature of the callback should be as follows:
     * ~~~
     * function ($rule, $action)
     * ~~~
     * where `$rule` is this rule, and `$action` is the current [[Action|action]] object.
    public $denyCallback;
     * @var array the default configuration of access rules. Individual rule configurations
     * specified via [[rules]] will take precedence when the same property of the rule is configured.
    public $ruleConfig = ['class' => 'yii\web\AccessRule'];
     * @var array a list of access rule objects or configuration arrays for creating the rule objects.
     * If a rule is specified via a configuration array, it will be merged with [[ruleConfig]] first
     * before it is used for creating the rule object.
     * @see ruleConfig
    public $rules = [];

82 83 84 85 86 87 88 89 90 91 92 93
     * Initializes the [[rules]] array by instantiating rule objects from configurations.
    public function init()
        foreach ($this->rules as $i => $rule) {
            if (is_array($rule)) {
                $this->rules[$i] = Yii::createObject(array_merge($this->ruleConfig, $rule));

95 96 97
     * This method is invoked right before an action is to be executed (after all possible filters.)
     * You may override this method to do last-minute preparation for the action.
     * @param Action $action the action to be executed.
99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
     * @return boolean whether the action should continue to be executed.
    public function beforeAction($action)
        $user = Yii::$app->getUser();
        $request = Yii::$app->getRequest();
        /** @var AccessRule $rule */
        foreach ($this->rules as $rule) {
            if ($allow = $rule->allows($action, $user, $request)) {
                return true;
            } elseif ($allow === false) {
                if (isset($rule->denyCallback)) {
                    call_user_func($rule->denyCallback, $rule, $action);
                } elseif (isset($this->denyCallback)) {
                    call_user_func($this->denyCallback, $rule, $action);
                } else {

118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
                return false;
        if (isset($this->denyCallback)) {
            call_user_func($this->denyCallback, $rule, $action);
        } else {

        return false;

     * Denies the access of the user.
     * The default implementation will redirect the user to the login page if he is a guest;
     * if the user is already logged, a 403 HTTP exception will be thrown.
     * @param User $user the current user
135 136 137 138 139 140 141 142 143 144
     * @throws ForbiddenHttpException if the user is already logged in.
    protected function denyAccess($user)
        if ($user->getIsGuest()) {
        } else {
            throw new ForbiddenHttpException(Yii::t('yii', 'You are not allowed to perform this action.'));
Zander Baldwin committed