Configuring controller access rules to default-deny

How-tos

accessRules, security, access control

Starting with the blog tutorial, Yii developers are familiar with the notion of access rules defined in the controller, where the actions are allowed or denied depending on the user's name or role. ```php class CommentController extends CController
 
 {
public function filters()
{'users'=>array('@'),
),
array('deny',  // deny all users
 
                'users'=>array('*'),
 
            ), ); } ... ``` Access rules --— when enabled with the `accessControl` token in `filters()` --— are processed in order, from top to bottom, stopping at the first match. It's a common practice to place a deny to all at the end, as a catchall to insure that only intended users have access to this controller's actions.

But if no matches are made, Yii defaults to **allow**, and for many applications this is insecure and dangerous behavior. A developer not paying attention to his rules could find unauthorized users doing unauthorized things.Ref: [Extending common classes to allow better customization](http://www.yiiframework.com/wiki/121/extending-common-classes-to-allow-better-customization/)

Our approach is to fetch the current controller's `rules()` --— which are defined in the real controller class for the particular set of actions --— and add a default-deny to the list, then process the filters as the original `CController` code would:

```php// default deny
$rules[] = array('deny', 'users'=>array('*') );

$filter = new CAccessControlFilter;```php
public function rules() {    {
 
      return array(       // other rules here      array('deny', 'users'=>array('*')allow') // default allow       );    }
```
Even those not implementing this article's technique would do well to add the default-allow rule even though it would be handled by Yii automatically so that others reading the code would **know** this was intended behavior.

Important Notes
---------------