Yii2 AccessControl for action to be accessed by certain website

Question

I have a backend project on my ssl server, like ssl.mybackend.com, with following:

class FormController extends Controller
{
    public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [                    
                    [
                        'actions' => ['index', 'delete', 'view', 'create'],
                        'allow' => true,
                        'roles' => ['@'], //only authorized users
                    ],
                    [
                        'actions'=> ['create-order'],
                        'allow'=>true   //change all users to "myfrontend.com"                   
                    ]
                ],
            ],

        ];
    }

I need to grant an access to create-order action only to my frontend website. I am not sure if it's possible to do with AccessControl and appreciate if you could advise other solutions.

Probably you can use matchCallback in AccesControl for this. See http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#access-control-filter — TomaszKane, Jan 29 '16 at 07:56

score 0 · Answer 1 · answered Jan 29 '16 at 07:59

If you want to use ajax calls from frontend on another domain, you should use corsFilter instead. Example from documentation:

public function behaviors()
{
    return [
        'corsFilter' => [
            'class' => \yii\filters\Cors::className(),
            'cors' => [
                // restrict access to
                'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'],
                'Access-Control-Request-Method' => ['POST', 'PUT'],
                // Allow only POST and PUT methods
                'Access-Control-Request-Headers' => ['X-Wsse'],
                // Allow only headers 'X-Wsse'
                'Access-Control-Allow-Credentials' => true,
                // Allow OPTIONS caching
                'Access-Control-Max-Age' => 3600,
                // Allow the X-Pagination-Current-Page header to be exposed to the browser.
                'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'],
            ],

        ],
    ];
}

Cross Origin Resource Sharing in Yii2

it does not seem to work, because it allows me to make a POST request from the localhost. — Gyuzal, Feb 01 '16 at 03:27

Yii2 AccessControl for action to be accessed by certain website

1 Answers1