Commit 05182207 by Qiang Xue

Fixes issue #579: AccessControl deny rule by default

parent 36655d3b
...@@ -288,7 +288,6 @@ public function behaviors() ...@@ -288,7 +288,6 @@ public function behaviors()
'class' => 'yii\web\AccessControl', 'class' => 'yii\web\AccessControl',
'rules' => array( 'rules' => array(
array('allow' => true, 'actions' => array('admin'), 'roles' => array('@')), array('allow' => true, 'actions' => array('admin'), 'roles' => array('@')),
array('allow' => false),
), ),
), ),
); );
......
...@@ -17,7 +17,7 @@ use yii\base\ActionFilter; ...@@ -17,7 +17,7 @@ use yii\base\ActionFilter;
* AccessControl is an action filter. It will check its [[rules]] to find * AccessControl is an action filter. It will check its [[rules]] to find
* the first rule that matches the current context variables (such as user IP address, user role). * the first rule that matches the current context variables (such as user IP address, user role).
* The matching rule will dictate whether to allow or deny the access to the requested controller * The matching rule will dictate whether to allow or deny the access to the requested controller
* action. * action. If no rule matches, the access will be denied.
* *
* To use AccessControl, declare it in the `behaviors()` method of your controller class. * To use AccessControl, declare it in the `behaviors()` method of your controller class.
* For example, the following declarations will allow authenticated users to access the "create" * For example, the following declarations will allow authenticated users to access the "create"
...@@ -105,7 +105,7 @@ class AccessControl extends ActionFilter ...@@ -105,7 +105,7 @@ class AccessControl extends ActionFilter
/** @var $rule AccessRule */ /** @var $rule AccessRule */
foreach ($this->rules as $rule) { foreach ($this->rules as $rule) {
if ($allow = $rule->allows($action, $user, $request)) { if ($allow = $rule->allows($action, $user, $request)) {
break; return true;
} elseif ($allow === false) { } elseif ($allow === false) {
if (isset($rule->denyCallback)) { if (isset($rule->denyCallback)) {
call_user_func($rule->denyCallback, $rule); call_user_func($rule->denyCallback, $rule);
...@@ -117,7 +117,7 @@ class AccessControl extends ActionFilter ...@@ -117,7 +117,7 @@ class AccessControl extends ActionFilter
return false; return false;
} }
} }
return true; return false;
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment