Difference between #2 and #4 of
Configuring controller access rules to default-deny

Changes

Title unchanged

Configuring controller access rules to default-deny

Category unchanged

How-tos

Yii version unchanged

Tags changed

accessRules, security, access control

Content changed

[...]
{
return array(
array('allow', // allow authenticated users to access all actions
'users'=>array('@'),
),
array('deny'
,  // deny all users
 
                'users'=>array('*'),
 
            
), ); } ... ``` Access rules -- when enabled with the `accessControl` token in `filters()` -- are processed in order, from top to bottom, stopping at the first match. It's a common practice to place a deny to all at the end, as a catchall to insure that only intended users have access to this controller's actions.

But if no matches are made, Yii defaults to **allow**, and for many applications this is insecure and dangerous behavior. A developer not paying attention to his rules could find unauthorized users doing unauthorized things.
[...]
Ref: [Extending common classes to allow better customization](http://www.yiiframework.com/wiki/121/extending-common-classes-to-allow-better-customization/)

Our approach is to fetch the current controller's `rules()`
-- which are defined in the real controller class for the particular set of actions -- and add a default-deny to the list, then process the filters as the original `CController` code would:

```php
[...]
// default deny
$rules[] = array('deny'
, 'users'=>array('*') );

$filter = new CAccessControlFilter;
[...]
return array(
// other rules here
array('
deny', 'users'=>array('*')allow') // default allow
);
}
```
Even those not implementing this article's technique would do well to add the default-allow rule even though it would be handled by Yii automatically so that others reading the code would **know** this was intended behavior.
[...]
11 0
12 followers
Viewed: 140 107 times
Version: 1.1
Category: How-tos
Written by: Steve Friedl
Last updated by: nsanden
Created on: Apr 4, 2011
Last updated: 10 years ago
Update Article

Revisions

View all history