In many cases, we need to filter the incoming data or perform some actions based on this data. For example, with custom filters, we can filter visitors by IP, force users to use HTTPS, or redirect the user to an installation page prior to using the application. Yii has two built-in usable filters. First is CInlineFilter, which allows using the controller method as a filter, and the second (the one we will focus on) is CAccessControlFilter, which allows controlling access to various controller actions.
In this recipe, we will implement the following:
- Limiting access to the controller action to authorized users only
- Limiting access to the controller action to specified IPs
- Limiting access to specific users
- Limiting access for users of a browser specified; in this case, we will also show the custom message
- Create a fresh application by using
yiic webapp. - Create
protected/controllers/AccessController.phpas follows:<?php class AccessController extends CController { public function actionAuthOnly() { echo "Looks like you are authorized to run me."; } public function actionIp() { echo "Your IP is in our list. Lucky you!"; } public function actionUser() { echo "You're the right man. Welcome!"; } }
Carry out the following steps:
- Applying an access filter consists of two steps. First, we need to include a filter in the controller's
filtersmethod. We do this as follows:public function filters() { return array( 'accessControl', ); } - Then, we can describe filtering rules in the
accessRulesmethod that is used by the access control filter as follows:public function accessRules() { return array( array( 'deny', 'expression' => 'strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== FALSE', 'message' => "You're using the wrong browser, sorry.", ), array( 'allow', 'actions' => array('authOnly'), 'users' => array('@'), ), array( 'allow', 'actions' => array('ip'), 'ips' => array('127.0.0.1'), ), array( 'allow', 'actions' => array('user'), 'users' => array('admin'), ), array('deny'), ); } - Now try to run controller actions using Internet Explorer and other browsers, using both the
adminanddemousernames.
We will start with limiting access to the controller action to authorized users only. See the following code in the accessRules method:
array(
'allow',
'actions' => array('authOnly'),
'users' => array('@'),
),
array('deny'),Each array here is an access rule. You can either use the allow rule or the deny rule. For each rule, there are several parameters.
In our rule, we use two parameters. The first is the actions parameter, which takes an array of actions to which the rule will be applied. The second is the users parameter, which takes an array of user IDs (ones returned by Yii::app()->user->id) to determine the users this rule applies to. In our case, we used one of the following special characters: @ means all authenticated users, while * and ? stand for all users and guest users, respectively.
The next task is to limit access to specific IPs. In this case, the following two access rules are involved:
array(
'allow',
'actions' => array('ip'),
'ips' => array('127.0.0.1'),
),
array('deny'),The first rule allows access to the ip action from a list of IPs specified. In our case, we are using a loopback address, which always points to our own computer. Try changing it to, for example, 127.0.0.2 to see how it works when the address does not match. The second rule denies everything including all other IPs.
Next, we limit access to one specific user as follows:
array(
'allow',
'actions' => array('user'),
'users' => array('admin'),
),
array('deny'),The preceding rule allows a user with an ID equal to admin to run the user action. Therefore, if you log in as admin, it will let you in, but if you log in as demo, it will not. This is the same type of rule that we used to limit access to authorized users. The only difference is that we are using an ID instead of a wildcard. Again, the second rule involved denies everything including all other users.
Finally, we need to deny access to a specific browser. For this recipe, we are denying all versions of Internet Explorer and, in fact, some other browsers with the same user agent strings. The rule itself is put on top, so it executes first as follows:
array(
'deny',
'expression' => 'strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== FALSE',
'message' => "You're using the wrong browser, sorry.",
),
array('deny'),In the preceding code, we use another filter rule property named expression. It takes a PHP expression as a string, as an anonymous function (in PHP 5.3), or as a valid callback. In our case, we use a string.
Using PHP 5.3, the anonymous function will look like the following:
array(
'deny',
'expression' => function(){
return strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== FALSE;
},
'message' => "You're using the wrong browser, sorry.",
),The preceding expression checks if the user agent string contains MSIE. Depending on your requirements, you can specify any PHP code. The second parameter named message is used to change a message shown to the user when the access is denied.