php - Yii2 RBAC not working - allowing access to everything

View Original

I'm facing a problem where I've configured RBAC in Yii 2.0 but it does not work - meaning it dooes not prevent any of the pages from being loaded - even as guest.

This is in my web.php config (also in my console.php):

'authManager' => [
    'class' => 'yii\rbac\DbManager',
],

The migrations have completed successfully.

This is how behaviors() look like at the moment, but I tried many different ways.

    public function behaviors()
    {
        return [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                    [
                        'actions' => ['error'],
                        'allow' => true,
                        //'roles' => ["?"],
                    ],
                ],
            ],
            'verbs' => [
                'class' => VerbFilter::className(),
                'actions' => [
                    'logout' => ['post'],
                ],
            ],
        ];
    }

If I implement the behaviors() function in my controller, the framework starts doing some access-handling, but the goal of using a DB as I understand should be that the RBAC system takes over this responsibility - meaning I don't have to enable/disable every single action I write for every single role.

I have added a Role "Admin" and assigned a few of the available routes (actions) to it. Then I assigned this role to my User name. In theory this should enable my login to access those specific routes but nothing else - instead, I can traverse the site however I please, no 403s whatsoever. (This is why I'm saying RBAC acts like it's non-existing.)

Any hints or tips are appreciated.

Thanks.

Answer

Solution:

where is your authManager configuration located?

According to [yii2 guide]

If you are using yii2-basic-app template, there is a config/console.php configuration file where the authManager needs to be declared additionally to config/web.php. In case of yii2-advanced-app the authManager should be declared only once in common/config/main.php.

Update to this question, I just tried do rbac manually

My result We must do conditional in every action like

...
    public function actionAbout()
    {
        if (Yii::$app->user->can('ViewAbout')) {
            echo "you may see view about";
        } else {
            echo "view about is prohibited";
        }
        // return $this->render('about');
    }
...

If you want assign it in common way, you better use extension/module that handle authmanager (like yii2-admin, yii2-mimin, etc)

Hope this answer help

Source
© 2021
E-mail: contact@webdevask.com
Back to top