search

yiisoft / yii2

Yii 2: The Fast, Secure and Professional PHP Framework
http://www.yiiframework.com
BSD 3-Clause "New" or "Revised" License
14.23k stars 6.91k forks source link

Authenticator behavior should always try to authenticate #7776

Closed fabiomlferreira closed 8 years ago

fabiomlferreira commented 9 years ago

I am creating a restful service and I'm using QueryParamAuth.

An example:

public function behaviors() {
        return ArrayHelper::merge(parent::behaviors(), [
            'authenticator' => [
                'class' => QueryParamAuth::className(),
                //'only' => ['subscrever', 'noticias', 'noticia', 'categorias'],
                'only' => ['subscrever'],
            ],
            'contentNegotiator' => [
                'formats' => [
                    'application/json' => Response::FORMAT_JSON,
                ],
            ],
        ]);
    }

As you can see only "subscrever" required authentication, if I access "noticias" and provide an access token, the access token is ignored and the user not authenticate. I think this class should have an option to always try to authenticate.

In my case the action "noticias" return all the news, but for registered users return only the news from the categories that the user subscribe.

glagola commented 9 years ago

It seems I've similar problem: part of my REST API is accessible to guests. I think authenticator should silently try to authenticate, and ActiveController::checkAccess() / Access Control Filter / RBAC should decide throw UnauthorizedHttpException or not.

jpodpro commented 8 years ago

this is essentially a duplicate of issue #7405 - an issue i'm surprised has not been addressed. once logged in a user should remain logged in until they logout. yii treats them as a guest if they access a public page. strange behavior.

SilverFire commented 8 years ago

10188

SilverFire commented 8 years ago

Fixed https://github.com/yiisoft/yii2/commit/035a9ce0a8642dc1218f4b5d587dfde4daa382f2