Yii Framework Wiki
Difference between
#2 and
#3 of
Configuring controller access rules to default-deny
Revision #3 has been created by samdark on Aug 28, 2011, 1:50:42 AM with the memo:
No need to specify users for deny rule
« previous (#2) next (#4) »
Changes
Title unchanged
Configuring controller access rules to default-deny
Category unchanged
How-tos
Yii version unchanged
Tags changed
accessRules, security, access control
Content changed
[...]
{return array(
array('allow', // allow authenticated users to access all actions
'users'=>array('@'),
),
array('deny'
'users'=>array('*'),
But if no matches are made, Yii defaults to **allow**, and for many applications this is insecure and dangerous behavior. A developer not paying attention to his rules could find unauthorized users doing unauthorized things.
[...]
Ref: [Extending common classes to allow better customization](http://www.yiiframework.com/wiki/121/extending-common-classes-to-allow-better-customization/)Our approach is to fetch the current controller's `rules()`
```php
[...]
// default deny$rules[] = array('deny'
$filter = new CAccessControlFilter;
[...]
return array(// other rules here
array('deny'
);
}
```
Even those not implementing this article's technique would do well to add the default-allow rule even though it would be handled by Yii automatically so that others reading the code would **know** this was intended behavior.
[...]
12 followers
Viewed: 140 093 times
Version: 1.1
Category: How-tos
Written by: Steve Friedl
Last updated by: nsanden
Created on: Apr 4, 2011
Last updated: 10 years ago
Revisions
View all history-
10 years ago by
nsanden fixed default allow rule
-
13 years ago by
samdark No need to specify users for deny rule
-
13 years ago by
Steve Friedl Minor space shifting
- 13 years ago by Steve Friedl