Commit 05182207 by Qiang Xue

Fixes issue #579: AccessControl deny rule by default

parent 36655d3b
......@@ -288,7 +288,6 @@ public function behaviors()
'class' => 'yii\web\AccessControl',
'rules' => array(
array('allow' => true, 'actions' => array('admin'), 'roles' => array('@')),
array('allow' => false),
),
),
);
......
......@@ -17,7 +17,7 @@ use yii\base\ActionFilter;
* AccessControl is an action filter. It will check its [[rules]] to find
* the first rule that matches the current context variables (such as user IP address, user role).
* The matching rule will dictate whether to allow or deny the access to the requested controller
* action.
* action. If no rule matches, the access will be denied.
*
* To use AccessControl, declare it in the `behaviors()` method of your controller class.
* For example, the following declarations will allow authenticated users to access the "create"
......@@ -105,7 +105,7 @@ class AccessControl extends ActionFilter
/** @var $rule AccessRule */
foreach ($this->rules as $rule) {
if ($allow = $rule->allows($action, $user, $request)) {
break;
return true;
} elseif ($allow === false) {
if (isset($rule->denyCallback)) {
call_user_func($rule->denyCallback, $rule);
......@@ -117,7 +117,7 @@ class AccessControl extends ActionFilter
return false;
}
}
return true;
return false;
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment