Changes
Title
unchanged
Configuring controller access rules to default-deny
Category
unchanged
How-tos
Yii version
unchanged
Tags
changed
accessRules, security, access control
Content
changed
[...]
{
return array(
array('allow', // allow authenticated users to access all actions
'users'=>array('@'),
),
array('deny', // deny all users
'users'=>array('*'),
),
);
}
...
```
Access rules
--— when enabled with the `accessControl` token in `filters()`
--— are processed in order, from top to bottom, stopping at the first match. It's a common practice to place a deny to all at the end, as a catchall to insure that only intended users have access to this controller's actions.
But if no matches are made, Yii defaults to **allow**, and for many applications this is insecure and dangerous behavior. A developer not paying attention to his rules could find unauthorized users doing unauthorized things.[...]
Ref: [Extending common classes to allow better customization](http://www.yiiframework.com/wiki/121/extending-common-classes-to-allow-better-customization/)
Our approach is to fetch the current controller's `rules()` --— which are defined in the real controller class for the particular set of actions
--— and add a default-deny to the list, then process the filters as the original `CController` code would:
```php[...]
// default deny
$rules[] = array('deny', 'users'=>array('*') );
$filter = new CAccessControlFilter;[...]
return array(
// other rules here
array('deny', 'users'=>array('*')allow') // default allow
);
}
```
Even those not implementing this article's technique would do well to add the default-allow rule even though it would be handled by Yii automatically so that others reading the code would **know** this was intended behavior.[...]