Fixes #4409: Upper case letters in subdirectory prefixes of controller IDs were…

docs/guide/structure-controllers.md

@@ -112,11 +112,13 @@ For this reason, controller IDs are often nouns referring to the types of the re
 For example, you may use `article` as the ID of a controller that handles article data.
 
 By default, controller IDs should contain these characters only: English letters in lower case, digits,
-underscores, dashes and forward slashes. For example, `article`, `post-comment`, `admin/post2-comment` are
-all valid controller IDs, while `article?`, `PostComment`, `admin\post` are not.
+underscores, dashes and forward slashes. For example, `article` and `post-comment` are both valid controller IDs,
+while `article?`, `PostComment`, `admin\post` are not.
 
-The dashes in a controller ID are used to separate words, while the forward slashes to organize controllers in
-sub-directories.
+A controller ID may also contain a subdirectory prefix. For example, `admin/article` stands for an `article` controller
+in the `admin` subdirectory under the [[yii\base\Application::controllerNamespace|controller namespace]].
+Valid characters for subdirectory prefixes include: English letters in lower and upper cases, digits, underscores and
+forward slashes, where forward slashes are used as separators for multi-level subdirectories (e.g. `panels/admin`).
 
 
 ### Controller Class Naming <a name="controller-class-naming"></a>
@@ -134,7 +136,8 @@ takes the default value `app\controllers`:
 
 * `article` derives `app\controllers\ArticleController`;
 * `post-comment` derives `app\controllers\PostCommentController`;
-* `admin/post2-comment` derives `app\controllers\admin\Post2CommentController`.
+* `admin/post-comment` derives `app\controllers\admin\PostCommentController`;
+* `adminPanels/post-comment` derives `app\controllers\adminPanels\PostCommentController`.
 
 Controller classes must be [autoloadable](concept-autoloading.md). For this reason, in the above examples,
 the `article` controller class should be saved in the file whose [alias](concept-aliases.md)

framework/CHANGELOG.md

@@ -69,6 +69,7 @@ Yii Framework 2 Change Log
 - Bug #4241: `yii\widgets\Pjax` was incorrectly setting container id (mitalcoi)
 - Bug #4276: Added check for UPLOAD_ERR_NO_FILE in `yii\web\UploadedFile` and return null if no file was uploaded (OmgDef)
 - Bug #4342: mssql (dblib) driver does not support getting attributes (tof06)
+- Bug #4409: Upper case letters in subdirectory prefixes of controller IDs were not properly handled (qiangxue)
 - Bug: Fixed inconsistent return of `\yii\console\Application::runAction()` (samdark)
 - Bug: URL encoding for the route parameter added to `\yii\web\UrlManager` (klimov-paul)
 - Bug: Fixed the bug that requesting protected or private action methods would cause 500 error instead of 404 (qiangxue)

framework/base/Module.php

@@ -548,10 +548,6 @@ class Module extends ServiceLocator
      */
     public function createControllerByID($id)
     {
-        if (!preg_match('%^[a-z0-9\\-_/]+$%', $id)) {
-            return null;
-        }
-
         $pos = strrpos($id, '/');
         if ($pos === false) {
             $prefix = '';
@@ -561,6 +557,13 @@ class Module extends ServiceLocator
             $className = substr($id, $pos + 1);
         }
 
+        if (!preg_match('%^[a-z][a-z0-9\\-_]*$%', $className)) {
+            return null;
+        }
+        if ($prefix !== '' && !preg_match('%^[a-z0-9_/]+$%i', $prefix)) {
+            return null;
+        }
+
         $className = str_replace(' ', '', ucwords(str_replace('-', ' ', $className))) . 'Controller';
         $className = ltrim($this->controllerNamespace . '\\' . str_replace('/', '\\', $prefix)  . $className, '\\');
         if (strpos($className, '-') !== false || !class_exists($className)) {