I am building administration backend (in yii) for the web app, and it should be disabled for usual users. In other words I have to make private access for http://www.taxitaxi.kz/dispatcher/index.php. I tried to insert some accessRules in sitecontroller, but it works in another way.
Awaiting your advices, thanks.
Add the rule in accessRules of your controller
array('allow',
'actions'=>array('actionName'),
'users'=>array('admin')
)
To make the controller use the rules you define in accessRules you also need to configure the accessControl filter.
public function filters()
{
return array('accessControl');
}
Related
I am not sure how to ask this but here it goes. I am trying to make a route or URL from a controller will be only available to access after login of the user. I don't know to find these code in asp.net core 2.1. I know how to do it for its view part.
#if (SignInManager.IsSignedIn(User)){ //authorized section }
But I am not sure about the controller/route parts. So, I need your help to make learn this properly.
Thank you.
I'm not sure exactly what you're asking. If your question is how you can make the route not exist at all, that is impossible. If it's exposed, it's exposed. However, you can force a user to be authorized to access it, which brings me to the next possible interpretation: how do you force a user to be authorized in order to access a particular route. That is simple; you just decorate the action with the Authorize attribute:
[Authorize]
public IActionResult OnlyForAuthenticateUsers()
You can also decorate the controller class, instead, which will protect every action in the controller:
[Authorize]
public class MyController
If you just need one or so actions to be open, such as a "signin" action in a controller that otherwise has actions only available to authenticated users, then you can utilize the AllowAnonymous attribute:
[AllowAnonymous]
public IActionResult SignIn()
Finally, the Authorize attribute also lets you specify roles and/or policies that must be satisfied in addition to being authenticated. For example, to lock down a particular action to only "Admin" users, you might do something like [Authorize(Roles = "Admin")].
I am implementing Rest API in yii2. I want to authenticate the user using access token. I have referred various SO answers as follows
Rest api bearer authentication
Rest api bearer auth
Yii2 Rest api authentication
But I m not clear, which authentication method I should use and how I will get user identity.
I have created findIdentityByAccessToken() method in my user identity class as suggested in Yii2 Rest guide .
Below is the behaviour implemented in my controller
public function behaviors() {
$behaviors = parent::behaviors();
$behaviors['authenticator'] = [
'class' => HttpBasicAuth::className(),
'except' => ['login','forgot-password']
];
return $behaviors;
}
now, how I will get the user identity inside my controller action? As far as i know, access token will be set from the web service inside request header.
Note : I am using Yii2 advanced app
please help me.
Simple answer there's more than one possibility to implement this behavior.
Both HttpBearerAuth and HttpBasicAuth can use the findIdentityByAccessToken() methode when configured correctly. the behavior you should use depends on the way you want users to authenticate themselves.
if you read the documentation of HttpBasisAuth HttpBasicAuth you'll see
The default implementation of HttpBasicAuth uses the loginByAccessToken() method of the user application component and only passes the user name. This implementation is used for authenticating API clients.
loginByAccesToken will invoke the findIdentityByAccesToken methode
You can manipulate this behavior by defining a closure in the auth attribute see auth attribute.
HttpBeareAuth almost does the same. it also implements the loginByAccessToken
So what make the two different from each other? simple the location where the get the data from. where HttpBasicAuth expects that client has set the basic header example header('Authorization: Basic '. base64_encode("user:password")); (PHP has build in support for this see: http://php.net/manual/en/features.http-auth.php)
the HttpBearerAuth expects that the header is defined as the following header('Authorization: Bearer '. $token);
So the solution you should use depends on the way you want users/clients to authenticate themselves. you could also use the QueryParamAuth which gives the users the possibility to authenticate themselves whit a GET param see queryparamauth
And if you want to use a custom header let's say X-API-Token create your own custom class that implements the AuthMethod interface see AuthMethod
Hope this helps
I am novice to MVC4 environment. And trying to restrict access to specific controller on basis of role.
[Authorize(Roles = "Administrators")]
public class AdminController : Controller
{
}
It work fine and ask for user credentials. But I don't want it to ask for credentials. Rather it should check automatically the role of window user. And if he is member of specific role, allow him to access website page.
Can you please guide me how to do that?
With help of #Wiktor comment I was able to conclude to solution for it.
See my answered comment at - Window authentication not working in MVC4
I installed the yii user extension and now i am wandering how i can add an extra role. I added a new column in the User db table and edited the UserModule like this:
public static function isEmployee() {
if(Yii::app()->user->isGuest)
return false;
else {
if (!isset(self::$_employee)) {
//check to see what kind of user we got and include admin for all
if(self::user()->type)
self::$_employee = true;
else
self::$_employee = false;
}
return self::$_employee;
}
}
and then when i try calling this in the rest of my site it dose not seem to work
'visible' => Yii::app()->user->isEmployee()
What i am doing wrong or what would be the best way to add an extra role that i can call on the site as above.
I don't know which extension exactly you installed - but you confused it with the user component. The user component is what you can access through Yii::app()->user. It's a CWebUser object by default. You can create your custom class WebUser extends CWebUser in the components/ directory. You would configure this as user component in your main.php config file.
'components' => array(
'user' => 'WebUser',
),
Then you move your isEmployee() method into that class. As you didn't provide any details on which extension you used, i can not really help you how to get that role check right. But i wonder if you shouldn't rather use a RBAC based solution. It allows you to create Roles and assign them to users. There are also several extensions that help you to manage roles and users.
Yii User is not meant for adding roles to users, it only handles user account management.
You may install an additional extension like rights, auth or srbac (see list) which provides a web-interface for this task.
I am learning Yii framework and I am creating a sample application also.
In my Application I have three user roles as
Super admin
Author
and Registered Users
I want Authors to do CRUD operations to Articles.
I have extended all my Controllers with yii's RController and added the following code to the filters.
public function filters()
{
return array(
//'accessControl', // perform access control for CRUD operations
'postOnly + delete', // we only allow deletion via POST request
'rights',
);
}
According to the Yii documentation and as I understand Yii should do automatic filter for me? But Even I log with an Super Admin account it says "Error 403 You are not authorized to perform this action."