Class yii\filters\AccessControl

Inheritanceyii\filters\AccessControl » yii\base\ActionFilter » yii\base\Behavior » yii\base\BaseObject
Implementsyii\base\Configurable
Available since version2.0
Source Code https://github.com/yiisoft/yii2/blob/master/framework/filters/AccessControl.php

AccessControl provides simple access control based on a set of rules.

AccessControl is an action filter. It will check its $rules to find the first rule that matches the current context variables (such as user IP address, user role). The matching rule will dictate whether to allow or deny the access to the requested controller action. If no rule matches, the access will be denied.

To use AccessControl, declare it in the behaviors() method of your controller class. For example, the following declarations will allow authenticated users to access the "create" and "update" actions and deny all other users from accessing these two actions.

public function behaviors()
{
    return [
        'access' => [
            'class' => \yii\filters\AccessControl::className(),
            'only' => ['create', 'update'],
            'rules' => [
                // deny all POST requests
                [
                    'allow' => false,
                    'verbs' => ['POST']
                ],
                // allow authenticated users
                [
                    'allow' => true,
                    'roles' => ['@'],
                ],
                // everything else is denied
            ],
        ],
    ];
}

Public Properties

Hide inherited properties

PropertyTypeDescriptionDefined By
$denyCallback callable A callback that will be called if the access should be denied to the current user. yii\filters\AccessControl
$except array List of action IDs that this filter should not apply to. yii\base\ActionFilter
$only array List of action IDs that this filter should apply to. yii\base\ActionFilter
$owner yii\base\Component|null The owner of this behavior yii\base\Behavior
$ruleConfig array The default configuration of access rules. yii\filters\AccessControl
$rules array A list of access rule objects or configuration arrays for creating the rule objects. yii\filters\AccessControl
$user yii\web\User|array|string|false The user object representing the authentication status or the ID of the user application component. yii\filters\AccessControl

Public Methods

Hide inherited methods

MethodDescriptionDefined By
__call() Calls the named method which is not a class method. yii\base\BaseObject
__construct() Constructor. yii\base\BaseObject
__get() Returns the value of an object property. yii\base\BaseObject
__isset() Checks if a property is set, i.e. defined and not null. yii\base\BaseObject
__set() Sets value of an object property. yii\base\BaseObject
__unset() Sets an object property to null. yii\base\BaseObject
afterAction() This method is invoked right after an action is executed. yii\base\ActionFilter
afterFilter() yii\base\ActionFilter
attach() Attaches the behavior object to the component. yii\base\Behavior
beforeAction() This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action. yii\filters\AccessControl
beforeFilter() yii\base\ActionFilter
canGetProperty() Returns a value indicating whether a property can be read. yii\base\BaseObject
canSetProperty() Returns a value indicating whether a property can be set. yii\base\BaseObject
className() Returns the fully qualified name of this class. yii\base\BaseObject
detach() Detaches the behavior object from the component. yii\base\Behavior
events() Declares event handlers for the $owner's events. yii\base\Behavior
hasMethod() Returns a value indicating whether a method is defined. yii\base\BaseObject
hasProperty() Returns a value indicating whether a property is defined. yii\base\BaseObject
init() Initializes the $rules array by instantiating rule objects from configurations. yii\filters\AccessControl

Protected Methods

Hide inherited methods

MethodDescriptionDefined By
denyAccess() Denies the access of the user. yii\filters\AccessControl
getActionId() Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module. yii\base\ActionFilter
isActive() Returns a value indicating whether the filter is active for the given action. yii\base\ActionFilter

Property Details

$denyCallback public property

A callback that will be called if the access should be denied to the current user. This is the case when either no rule matches, or a rule with $allow set to false matches. If not set, denyAccess() will be called.

The signature of the callback should be as follows:

function ($rule, $action)

where $rule is the rule that denies the user, and $action is the current action object. $rule can be null if access is denied because none of the rules matched.

public callable $denyCallback null
$ruleConfig public property

The default configuration of access rules. Individual rule configurations specified via $rules will take precedence when the same property of the rule is configured.

public array $ruleConfig = ['class' => 'yii\filters\AccessRule']
$rules public property

A list of access rule objects or configuration arrays for creating the rule objects. If a rule is specified via a configuration array, it will be merged with $ruleConfig first before it is used for creating the rule object.

See also $ruleConfig.

public array $rules = []
$user public property

The user object representing the authentication status or the ID of the user application component. Starting from version 2.0.2, this can also be a configuration array for creating the object. Starting from version 2.0.12, you can set it to false to explicitly switch this component support off for the filter.

Method Details

beforeAction() public method

This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.

public boolean beforeAction ( $action )
$action yii\base\Action

The action to be executed.

return boolean

Whether the action should continue to be executed.

denyAccess() protected method

Denies the access of the user.

The default implementation will redirect the user to the login page if he is a guest; if the user is already logged, a 403 HTTP exception will be thrown.

protected void denyAccess ( $user )
$user yii\web\User|false

The current user or boolean false in case of detached User component

throws yii\web\ForbiddenHttpException

if the user is already logged in or in case of detached User component.

init() public method

Initializes the $rules array by instantiating rule objects from configurations.

public void init ( )