In the previous chapter, we discussed in detail the precise mechanics of how Yii 2 renders anything for the client browser. In the following chapters, we will look at features we have not used before.
Let's talk about user authentication now. Our CRM application example in its current state is pretty useless. It allows everyone to access it, and more often than not we don't want just anyone to be able to fiddle with the personal data of our customers.
In this chapter, we'll look at what Yii offers us to help identify the user, that is, user authentication. In the next chapter, we'll answer the question of user authorization, that is, deciding whether to allow a user to perform an action in the application.
We'll add the following features to our example CRM application in this chapter:
- A table to record users known to the system and the corresponding user interface to manage it.
- An indicator visible on all pages displaying whether the person currently using the application is registered in the table. However, he/she will need to explicitly declare it to "log in to" the application.
At this point, you already understand what Yii Application Component is, especially, how to configure them and how to access them. If you don't, then it's better that you re-read the previous chapter and the official documentation about this concept, as we'll use more and more built-in Yii Components from now on.
You need the following to successfully authenticate the user using Yii:
- An object implementing the
IdentityInterfaceinterface. - Call
Yii::$app->user->login()and pass this object there.
The main catch here is the concept of Identity. To Yii 2, this can be any class implementing IdentityInterface. You are encouraged to read through the definition of IdentityInterface in the web/IdentityInterface.php file inside the Yii 2 framework code base, as it's very thoroughly explained there.
When a user is not logged in (no successful call to yiiwebUser.login() was performed), the property Yii::$app->user->isGuest will return true. After successful login and as long as the user stays logged in, Yii::$app->user->isGuest will always return false and Yii::$app->user->identity will return the object that was passed to the call to the login() method (that is, the user identity).
This basically concludes the high-level usage of the authentication system built-in to Yii 2.
Yii only manages the state of the authentication, that is, it holds the data identifying the user. Any check regarding user authentication should be performed by the application.
While nowadays user authentication by login ID / password pair is slowly becoming old-fashioned, chances are, you'll still need to implement it in your next application. Let's consider the following use case.