AccessControl.php 4.15 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<?php
/**
 * @link http://www.yiiframework.com/
 * @copyright Copyright (c) 2008 Yii Software LLC
 * @license http://www.yiiframework.com/license/
 */

namespace yii\web;

use Yii;
use yii\base\Action;
use yii\base\ActionFilter;
use yii\base\HttpException;

/**
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
 * AccessControl provides simple access control based on a set of rules.
 *
 * AccessControl is an action filter. It will check its [[rules]] to find
 * the first rule that matches the current context variables (such as user IP address, user role).
 * The matching rule will dictate whether to allow or deny the access to the requested controller
 * action.
 *
 * To use AccessControl, declare it in the `behaviors()` method of your controller class.
 * For example, the following declarations will allow authenticated users to access the "create"
 * and "update" actions and deny all other users from accessing these two actions.
 *
 * ~~~
 * public function behaviors()
 * {
 *     return array(
 *         'access' => array(
 *             'class' => \yii\web\AccessControl::className(),
 *             'only' => array('create', 'update'),
 *             'rules' => array(
 *                 // allow authenticated users
 *                 array(
 *                     'allow' => true,
 *                     'roles' => array('@'),
 *                 ),
 *                 // deny all
 *                 array(
 *                     'allow' => false,
 *                 ),
 *             ),
 *         ),
 *     );
 * }
 * ~~~
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
 *
 * @author Qiang Xue <qiang.xue@gmail.com>
 * @since 2.0
 */
class AccessControl extends ActionFilter
{
	/**
	 * @var callback a callback that will be called if the access should be denied
	 * to the current user. If not set, [[denyAccess()]] will be called.
	 *
	 * The signature of the callback should be as follows:
	 *
	 * ~~~
	 * function ($rule, $action)
	 * ~~~
	 *
	 * where `$rule` is this rule, and `$action` is the current [[Action|action]] object.
	 */
	public $denyCallback;
	/**
Qiang Xue committed
69 70
	 * @var array the default configuration of access rules. Individual rule configurations
	 * specified via [[rules]] will take precedence when the same property of the rule is configured.
71
	 */
Qiang Xue committed
72 73 74
	public $ruleConfig = array(
		'class' => 'yii\web\AccessRule',
	);
75
	/**
Qiang Xue committed
76
	 * @var array a list of access rule objects or configuration arrays for creating the rule objects.
Qiang Xue committed
77 78
	 * If a rule is specified via a configuration array, it will be merged with [[ruleConfig]] first
	 * before it is used for creating the rule object.
Qiang Xue committed
79
	 * @see ruleConfig
80 81 82 83 84 85 86 87 88 89 90
	 */
	public $rules = array();

	/**
	 * Initializes the [[rules]] array by instantiating rule objects from configurations.
	 */
	public function init()
	{
		parent::init();
		foreach ($this->rules as $i => $rule) {
			if (is_array($rule)) {
Qiang Xue committed
91
				$this->rules[$i] = Yii::createObject(array_merge($this->ruleConfig, $rule));
92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135
			}
		}
	}

	/**
	 * This method is invoked right before an action is to be executed (after all possible filters.)
	 * You may override this method to do last-minute preparation for the action.
	 * @param Action $action the action to be executed.
	 * @return boolean whether the action should continue to be executed.
	 */
	public function beforeAction($action)
	{
		$user = Yii::$app->getUser();
		$request = Yii::$app->getRequest();
		/** @var $rule AccessRule */
		foreach ($this->rules as $rule) {
			if ($allow = $rule->allows($action, $user, $request)) {
				break;
			} elseif ($allow === false) {
				if (isset($rule->denyCallback)) {
					call_user_func($rule->denyCallback, $rule);
				} elseif (isset($this->denyCallback)) {
					call_user_func($this->denyCallback, $rule);
				} else {
					$this->denyAccess($user);
				}
				return false;
			}
		}
		return true;
	}

	/**
	 * Denies the access of the user.
	 * The default implementation will redirect the user to the login page if he is a guest;
	 * if the user is already logged, a 403 HTTP exception will be thrown.
	 * @param User $user the current user
	 * @throws HttpException if the user is already logged in.
	 */
	protected function denyAccess($user)
	{
		if ($user->getIsGuest()) {
			$user->loginRequired();
		} else {
136
			throw new HttpException(403, Yii::t('yii', 'You are not allowed to perform this action.'));
137 138
		}
	}
Zander Baldwin committed
139
}