UserController access controll

robregonm / yii2-auth

Yii 2 User Authentication & Role Based Access Control (RBAC) Module

BSD 3-Clause "New" or "Revised" License

77 stars 37 forks source link

UserController access controll #18

Closed monghuz closed 10 years ago

monghuz commented 10 years ago

I think there is a big security problem, that the full userController has not access control. In this case anybody could change all of the users' log-in name and password.

I inserted the following to require user to log-in

// name space
use yii\filters\AccessControl;
// access controll
'access' => [
            'class' => AccessControl::className(),
                'rules' => [
                       [
                           'actions' => ['index','view','update','delete','create'],
                           'allow' => true,
                           'roles' => ['@'],
                      ],
                 ],
            ],

robregonm commented 10 years ago

Thanks for reporting and contributing a fix.