Prevent users from accessing a url directly Yii 2

Question

I have this piece of code that if the user clicks on it the link will be replaced by text making it unable to be clicked again. The problem now is that if the user access it directly in the url so it will simulate a link click. So how do I prevent users from accessing urls directly?

<?php 
$isAdded = ActiveSubject::find()->where(['clientid' => $_user,'subjectid' => $subjects['subjectid'],])->exists();
if($isAdded):
?>
<b><p class="text-muted">ADDED</p></b>
<?php else: ?>
<p>
<?= Html::a('<b>ADD</b>',['site/addsubject',    'subjectid'=>$subjects['subjectid'], 'clientid' => $_user],['class' => 'btn-info btn-transparent btn-large']) ?>
</p> 
<?php endif; ?>
</td>
<td>
<?= $subjects['slots'] ?>
</td>
 <td>
<?php if($isAdded): ?>
<p class="text-primary">Awaiting Confirmation</p>  
<?php endif; ?>

http://www.yiiframework.com/doc-2.0/guide-structure-filters.html.. You have to use filter concept for this.. — vijay nathji, Aug 23 '16 at 04:35

Chetan Sharma · Answer 1 · 2016-08-23T05:33:54.030

Make it a POST link so that it has to clicked and can't be directly run from the browser

ie.

adding 'data-method' => 'post' to HTML::a

<?= Html::a('<b>ADD</b>',['site/addsubject',    'subjectid'=>$subjects['subjectid'], 'clientid' => $_user],['class' => 'btn-info btn-transparent btn-large', 'data-method' => 'post']) ?>

And in the Access Rules you can add rule to only accept POST Request

i.e

'verbs' => [
                'class' => VerbFilter::className(),
                'actions' => [
                    'addsubject' => ['post'],
                ],
            ],

Hope this helps. Thanks.

Edit: Below is sample for SiteController

public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                    [
                        'allow' => True,
                        'actions' => [],
                        'roles' => []
                    ],
                    [
                        'actions' => ['login', 'error', 'captcha'],
                        'allow' => true,
                    ],
                ],
            ],
            'verbs' => [
                'class' => VerbFilter::className(),
                'actions' => [
                    'delete' => ['post'],
                    'addsubject' => ['post'],
                ],
            ],
        ];
    }

You need to add this to the behavior function of your controller. Updated Answer — Chetan Sharma, Aug 23 '16 at 05:34
@Unknown : He is is using SiteController.php.. so how can he modify the behavior function which doesn't affect other actions?? May be matchCallback or Callback can be used... but i also want to learn how can we do this. — vijay nathji, Aug 23 '16 at 05:44
@Quinlanlent : put this in your public function behaviors() or modify exixsting public function behaviors().. in your SiteController.php — vijay nathji, Aug 23 '16 at 05:46

score 0 · Accepted Answer · edited May 23 '17 at 12:23

0

In controller

public function behaviors()
{
    return [
        'access' => [
            'class' => AccessControl::className(),
            'rules' => [
                [
                    'actions' => ['addsubject'],
                    'allow' => true,
                    'roles' => ['addsubject', 'yourmodelname'],
                ],
                [
                    'allow' => true,
                    'roles' => ['superAdmin', 'admin', 'managerModule1', 'managerApp'],
                ],   
            ],
        ],         
        'verbs' => [
            'class' => VerbFilter::className(),
            'actions' => [
                    'addsubject' => ['post'],
                ],
        ],

    ];
}

checkout this 2 answers also

how to deny the access of url in yii even if we know the url?

how to limit access url view on yii2 by id

In which you can understand the use of filters.

edited May 23 '17 at 12:23

Community

1
1

answered Aug 23 '16 at 05:20

vijay nathji

1,608
13
23

what if there is already code in the behaviors function? I am using the SiteController.php by the way? – Aug 23 '16 at 05:24
1

i am not damn sure but then also we can use matchCallback method, Step : 6 http://www.yiiframework.com/wiki/771/rbac-super-simple-with-admin-and-user/ – vijay nathji Aug 23 '16 at 05:30
What I mean is in the rules array the sitecontroller has already an action `['logout']` so am i allowed to add add another action `['addsubject']` in the rules array? – Aug 23 '16 at 05:46
yes ofcourse you can .. seee the step : 6 they used about action as well.. – vijay nathji Aug 23 '16 at 05:49
Oh ok I saw your post I get it now. – Aug 23 '16 at 05:52
1

to be frankly i have never faced this kind of problem so i am not 100% sure... But your way looks ok... Try once.. :) – vijay nathji Aug 23 '16 at 05:54
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/121585/discussion-between-vijay-nathji-and-quinlanlent). – vijay nathji Aug 23 '16 at 05:55
1

http://www.yiiframework.com/wiki/771/rbac-super-simple-with-admin-and-user/ take a look on step : 6 – vijay nathji Aug 23 '16 at 05:56
Thanks you are very helpful. The solution is to make another array so thanks for that. – Aug 23 '16 at 05:58

Prevent users from accessing a url directly Yii 2

2 Answers2

Linked