search

mdmsoft / yii2-admin

Auth manager for Yii2 (RBAC Manager)
GNU General Public License v3.0
1.16k stars 574 forks source link

How to restrict access to the admin panel (admin / *) #174

Open zolton007 opened 9 years ago

zolton007 commented 9 years ago

Hello from Russia! Sorry for my English :) I need help! I installed the module from the archive (unpacked in the "vendor" directory ) . My "config/web.php":

$config  =   [
    ...
     'aliases'   =>   [
         '@mdm/admin'   =>   '@vendor/mdm/yii2-admin' ,
         'layout'   =>   'right-menu'
     ],
     'modules'   =>   [
         'admin'   =>   [
             'class'   =>   'mdm\admin\Module' ,
         ]
     ],
     ...
     'components'   =>   [
         'authManager'   =>   [
             'class'   =>   'yii\rbac\DBManager' ,
             'defaultRoles'   =>   [ 'guest' ]
         ],     
         ...
    ],
    ...      
    'as access'   =>   [
        'class'   =>   'mdm\admin\components\AccessControl' ,
            'allowActions'   =>   [
                '*'
        ]
    ],
    ...        
]

In the configuration file I have a role by default "guest" and I made this role also through the admin panel. In the controller I check access as follows:

public function actionList ()
{
    if  ( Yii :: $app -> user -> can ( 'view_categories' ))
    {
        $categories = Category :: find ()
             -> orderBy ( "tree, lft" )
             -> all ();
        return $this -> render ( 'list' ,   [
             'categories'   =>  $categories
         ]);
     }
    else
        throw new ForbiddenHttpException ( 'Access denied' );         
}

Question: How can I restrict access to the admin panel (admin/*)? For example there could come to only users with "admin" role.

Thanks in advance!

zolton007 commented 9 years ago

Maybe add in the "behavior" of the controller "access"-block? (e.g., from controller PermissionController):

            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                    [
                        'actions' => ['index', 'view', 'create', 'update', 'delete', 'assign', 'search'],
                        'allow' => true,
                        'roles' => ['admin'],
                    ],
                ],
            ],

or you can consult a more elegant solution?

Clyff commented 9 years ago

In your config,you only use 'as access' to the routes anyone can have access. You have a *, comment/remove it.

'as access'   =>   [
    'class'   =>   'mdm\admin\components\AccessControl' ,
        'allowActions'   =>   [
            //'*'
    ]
],
zolton007 commented 9 years ago

If I comment/remove '*', all controllers are not available even for the user with the "admin" role :-(

Clyff commented 9 years ago

here is my web.php:

$config = [
   //Other configs...

    'as access' => [
        'class' => 'mdm\admin\components\AccessControl',
        'allowActions' => [
            /*'admin/*',
            'gii/*',
            'user/*',
            'debug/*',*/
            'site/index', // home
            'site/captcha', // captcha in contact
            'user/security/*', // login and logout
            'user/recovery/*', // change password
            'user/settings/*', // edit self infos
            'user/profile/*', // user Profile
        ]
    ],

    //Other configs...
]

Btw, i'm using another module for user (dektrium /yii2-user), so i'm calling some routes there too. The first 4 lines in my AllowActions i commented after: 1- Create my user(with other module), 2- Check all routes as Assigned (in Menu Routes) 3 - Create a permissions with the routes i needed(Menu Permissions). 4 - Create Roles and delegate permissions for each one (menu Roles). 5 - Assign my user to a role who have all access, with means the '/*' (Menu Assignments/Grand Access).

Sure you can skip step 3 and create a Role directly with the routes (since routes are permissions).