|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* @link https://www.yiiframework.com/ |
|
4
|
|
|
* @copyright Copyright (c) 2008 Yii Software LLC |
|
5
|
|
|
* @license https://www.yiiframework.com/license/ |
|
6
|
|
|
*/ |
|
7
|
|
|
|
|
8
|
|
|
namespace yii\filters; |
|
9
|
|
|
|
|
10
|
|
|
use Yii; |
|
11
|
|
|
use yii\base\Action; |
|
12
|
|
|
use yii\base\ActionFilter; |
|
13
|
|
|
use yii\di\Instance; |
|
14
|
|
|
use yii\web\ForbiddenHttpException; |
|
15
|
|
|
use yii\web\User; |
|
16
|
|
|
|
|
17
|
|
|
/** |
|
18
|
|
|
* AccessControl provides simple access control based on a set of rules. |
|
19
|
|
|
* |
|
20
|
|
|
* AccessControl is an action filter. It will check its [[rules]] to find |
|
21
|
|
|
* the first rule that matches the current context variables (such as user IP address, user role). |
|
22
|
|
|
* The matching rule will dictate whether to allow or deny the access to the requested controller |
|
23
|
|
|
* action. If no rule matches, the access will be denied. |
|
24
|
|
|
* |
|
25
|
|
|
* To use AccessControl, declare it in the `behaviors()` method of your controller class. |
|
26
|
|
|
* For example, the following declarations will allow authenticated users to access the "create" |
|
27
|
|
|
* and "update" actions and deny all other users from accessing these two actions. |
|
28
|
|
|
* |
|
29
|
|
|
* ```php |
|
30
|
|
|
* public function behaviors() |
|
31
|
|
|
* { |
|
32
|
|
|
* return [ |
|
33
|
|
|
* 'access' => [ |
|
34
|
|
|
* 'class' => \yii\filters\AccessControl::class, |
|
35
|
|
|
* 'only' => ['create', 'update'], |
|
36
|
|
|
* 'rules' => [ |
|
37
|
|
|
* // deny all POST requests |
|
38
|
|
|
* [ |
|
39
|
|
|
* 'allow' => false, |
|
40
|
|
|
* 'verbs' => ['POST'] |
|
41
|
|
|
* ], |
|
42
|
|
|
* // allow authenticated users |
|
43
|
|
|
* [ |
|
44
|
|
|
* 'allow' => true, |
|
45
|
|
|
* 'roles' => ['@'], |
|
46
|
|
|
* ], |
|
47
|
|
|
* // everything else is denied |
|
48
|
|
|
* ], |
|
49
|
|
|
* ], |
|
50
|
|
|
* ]; |
|
51
|
|
|
* } |
|
52
|
|
|
* ``` |
|
53
|
|
|
* |
|
54
|
|
|
* @author Qiang Xue <[email protected]> |
|
55
|
|
|
* @since 2.0 |
|
56
|
|
|
*/ |
|
57
|
|
|
class AccessControl extends ActionFilter |
|
58
|
|
|
{ |
|
59
|
|
|
/** |
|
60
|
|
|
* @var User|array|string|false the user object representing the authentication status or the ID of the user application component. |
|
61
|
|
|
* Starting from version 2.0.2, this can also be a configuration array for creating the object. |
|
62
|
|
|
* Starting from version 2.0.12, you can set it to `false` to explicitly switch this component support off for the filter. |
|
63
|
|
|
*/ |
|
64
|
|
|
public $user = 'user'; |
|
65
|
|
|
/** |
|
66
|
|
|
* @var callable|null a callback that will be called if the access should be denied |
|
67
|
|
|
* to the current user. This is the case when either no rule matches, or a rule with |
|
68
|
|
|
* [[AccessRule::$allow|$allow]] set to `false` matches. |
|
69
|
|
|
* If not set, [[denyAccess()]] will be called. |
|
70
|
|
|
* |
|
71
|
|
|
* The signature of the callback should be as follows: |
|
72
|
|
|
* |
|
73
|
|
|
* ```php |
|
74
|
|
|
* function ($rule, $action) |
|
75
|
|
|
* ``` |
|
76
|
|
|
* |
|
77
|
|
|
* where `$rule` is the rule that denies the user, and `$action` is the current [[Action|action]] object. |
|
78
|
|
|
* `$rule` can be `null` if access is denied because none of the rules matched. |
|
79
|
|
|
*/ |
|
80
|
|
|
public $denyCallback; |
|
81
|
|
|
/** |
|
82
|
|
|
* @var array the default configuration of access rules. Individual rule configurations |
|
83
|
|
|
* specified via [[rules]] will take precedence when the same property of the rule is configured. |
|
84
|
|
|
*/ |
|
85
|
|
|
public $ruleConfig = ['class' => 'yii\filters\AccessRule']; |
|
86
|
|
|
/** |
|
87
|
|
|
* @var array a list of access rule objects or configuration arrays for creating the rule objects. |
|
88
|
|
|
* If a rule is specified via a configuration array, it will be merged with [[ruleConfig]] first |
|
89
|
|
|
* before it is used for creating the rule object. |
|
90
|
|
|
* @see ruleConfig |
|
91
|
|
|
*/ |
|
92
|
|
|
public $rules = []; |
|
93
|
|
|
|
|
94
|
|
|
|
|
95
|
|
|
/** |
|
96
|
|
|
* Initializes the [[rules]] array by instantiating rule objects from configurations. |
|
97
|
|
|
*/ |
|
98
|
1 |
|
public function init() |
|
99
|
|
|
{ |
|
100
|
1 |
|
parent::init(); |
|
101
|
1 |
|
if ($this->user !== false) { |
|
102
|
1 |
|
$this->user = Instance::ensure($this->user, User::className()); |
|
|
|
|
|
|
103
|
|
|
} |
|
104
|
1 |
|
foreach ($this->rules as $i => $rule) { |
|
105
|
|
|
if (is_array($rule)) { |
|
106
|
|
|
$this->rules[$i] = Yii::createObject(array_merge($this->ruleConfig, $rule)); |
|
107
|
|
|
} |
|
108
|
|
|
} |
|
109
|
|
|
} |
|
110
|
|
|
|
|
111
|
|
|
/** |
|
112
|
|
|
* This method is invoked right before an action is to be executed (after all possible filters.) |
|
113
|
|
|
* You may override this method to do last-minute preparation for the action. |
|
114
|
|
|
* @param Action $action the action to be executed. |
|
115
|
|
|
* @return bool whether the action should continue to be executed. |
|
116
|
|
|
*/ |
|
117
|
|
|
public function beforeAction($action) |
|
118
|
|
|
{ |
|
119
|
|
|
$user = $this->user; |
|
120
|
|
|
$request = Yii::$app->getRequest(); |
|
121
|
|
|
/* @var $rule AccessRule */ |
|
122
|
|
|
foreach ($this->rules as $rule) { |
|
123
|
|
|
if ($allow = $rule->allows($action, $user, $request)) { |
|
124
|
|
|
return true; |
|
125
|
|
|
} elseif ($allow === false) { |
|
126
|
|
|
if (isset($rule->denyCallback)) { |
|
127
|
|
|
call_user_func($rule->denyCallback, $rule, $action); |
|
128
|
|
|
} elseif ($this->denyCallback !== null) { |
|
129
|
|
|
call_user_func($this->denyCallback, $rule, $action); |
|
130
|
|
|
} else { |
|
131
|
|
|
$this->denyAccess($user); |
|
132
|
|
|
} |
|
133
|
|
|
|
|
134
|
|
|
return false; |
|
135
|
|
|
} |
|
136
|
|
|
} |
|
137
|
|
|
if ($this->denyCallback !== null) { |
|
138
|
|
|
call_user_func($this->denyCallback, null, $action); |
|
139
|
|
|
} else { |
|
140
|
|
|
$this->denyAccess($user); |
|
141
|
|
|
} |
|
142
|
|
|
|
|
143
|
|
|
return false; |
|
144
|
|
|
} |
|
145
|
|
|
|
|
146
|
|
|
/** |
|
147
|
|
|
* Denies the access of the user. |
|
148
|
|
|
* The default implementation will redirect the user to the login page if he is a guest; |
|
149
|
|
|
* if the user is already logged, a 403 HTTP exception will be thrown. |
|
150
|
|
|
* @param User|false $user the current user or boolean `false` in case of detached User component |
|
151
|
|
|
* @throws ForbiddenHttpException if the user is already logged in or in case of detached User component. |
|
152
|
|
|
*/ |
|
153
|
|
|
protected function denyAccess($user) |
|
154
|
|
|
{ |
|
155
|
|
|
if ($user !== false && $user->getIsGuest()) { |
|
156
|
|
|
$user->loginRequired(); |
|
157
|
|
|
} else { |
|
158
|
|
|
throw new ForbiddenHttpException(Yii::t('yii', 'You are not allowed to perform this action.')); |
|
159
|
|
|
} |
|
160
|
|
|
} |
|
161
|
|
|
} |
|
162
|
|
|
|
yiisoft /
yii2
Bizley
This function has been deprecated. The supplier of the function has supplied an explanatory message.
The explanatory message should give you some clue as to whether and when the function will be removed and what other function to use instead.