-3

In my yii webapplication i disable and enable several url s to set privilege. But the same url can be accessed to a user that haven't the privilege to acces that url by copying the url or getting it form some where. What should i do to avoid this?

Reshma R P
  • 11
  • 8
  • 1
    Did you take a look at the built-in [authorization](http://www.yiiframework.com/doc-2.0/guide-security-authorization.html) system? – tarleb Jul 18 '15 at 09:23
  • yup..i do.. but i install rights in my app. But it only sets the rights for few one. Since my web app contains more than 160 tables it wont work perfectly for all controllers and models – Reshma R P Aug 11 '15 at 08:18

1 Answers1

0

In controller

the function behaviors is for this. you can find the doc in yii2 guide filters (core filter / access control).

This a medium complexity sample for rules (allow only index, view, mpdf-form for roles viewerApp and viewModule1. Allow all access to roles superAdmin, admin, managerModule1, managerApp)

public function behaviors()
{
    return [
        'access' => [
            'class' => AccessControl::className(),
            'rules' => [
                [
                    'actions' => ['index','view', 'mpdf-form'],
                    'allow' => true,
                    'roles' => ['vieweApp', 'viewerModule1'],
                ],
                [
                    'allow' => true,
                    'roles' => ['superAdmin', 'admin', 'managerModule1', 'managerApp'],
                ],   
            ],
        ],         
        'verbs' => [
            'class' => VerbFilter::className(),
            'actions' => [
                'delete' => ['post'],
            ],
        ],
    ];
}
ScaisEdge
  • 131,976
  • 10
  • 91
  • 107
  • I hide the url www.my-url/index/test/create for a parrticular user and if that user know this url is it possible to acces if i use this code? – Reshma R P Aug 11 '15 at 08:16
  • Please explain better. I can not understand – ScaisEdge Aug 11 '15 at 11:24
  • mine is a school management software. I hide the link for setting privileges to each user. But it is possible to access by the user if he or she knows the url. – Reshma R P Aug 17 '15 at 04:29
  • If the user does not have a role that allows access, the user can not access even if he writes the address. But you if you have a role that allows access can access the page by entering the address. – ScaisEdge Aug 17 '15 at 06:04
  • In my privilege page i just hide the url.Nothing else is done.So its easier to access the page if any other knows the url. – Reshma R P Aug 17 '15 at 06:32
  • Hiding an url is not define a `behavior access rule`. read the mentioned `yii2 guide to filter` if you want manage the acces to the url. – ScaisEdge Aug 17 '15 at 06:35