/* Decoded by unphp.net */ [ * 'class' => \yii\filters\AccessControl::class, * 'only' => ['create', 'update'], * 'rules' => [ * // deny all POST requests * [ * 'allow' => false, * 'verbs' => ['POST'] * ], * // allow authenticated users * [ * 'allow' => true, * 'roles' => ['@'], * ], * // everything else is denied * ], * ], * ]; * } * ``` * * @author Qiang Xue * @since 2.0 */ class AccessControl extends ActionFilter { /** * @var User|array|string|false the user object representing the authentication status or the ID of the user application component. * Starting from version 2.0.2, this can also be a configuration array for creating the object. * Starting from version 2.0.12, you can set it to `false` to explicitly switch this component support off for the filter. */ public $user = 'user'; /** * @var callable|null a callback that will be called if the access should be denied * to the current user. This is the case when either no rule matches, or a rule with * [[AccessRule::$allow|$allow]] set to `false` matches. * If not set, [[denyAccess()]] will be called. * * The signature of the callback should be as follows: * * ```php * function ($rule, $action) * ``` * * where `$rule` is the rule that denies the user, and `$action` is the current [[Action|action]] object. * `$rule` can be `null` if access is denied because none of the rules matched. */ public $denyCallback; /** * @var array the default configuration of access rules. Individual rule configurations * specified via [[rules]] will take precedence when the same property of the rule is configured. */ public $ruleConfig = ['class' => 'yii\filters\AccessRule']; /** * @var array a list of access rule objects or configuration arrays for creating the rule objects. * If a rule is specified via a configuration array, it will be merged with [[ruleConfig]] first * before it is used for creating the rule object. * @see ruleConfig */ public $rules = []; /** * Initializes the [[rules]] array by instantiating rule objects from configurations. */ public function init() { parent::init(); if ($this->user !== false) { $this->user = Instance::ensure($this->user, User::className()); } foreach ($this->rules as $i => $rule) { if (is_array($rule)) { $this->rules[$i] = Yii::createObject(array_merge($this->ruleConfig, $rule)); } } } /** * This method is invoked right before an action is to be executed (after all possible filters.) * You may override this method to do last-minute preparation for the action. * @param Action $action the action to be executed. * @return bool whether the action should continue to be executed. */ public function beforeAction($action) { $user = $this->user; $request = Yii::$app->getRequest(); /* @var $rule AccessRule */ foreach ($this->rules as $rule) { if ($allow = $rule->allows($action, $user, $request)) { return true; } elseif ($allow === false) { if (isset($rule->denyCallback)) { call_user_func($rule->denyCallback, $rule, $action); } elseif ($this->denyCallback !== null) { call_user_func($this->denyCallback, $rule, $action); } else { $this->denyAccess($user); } return false; } } if ($this->denyCallback !== null) { call_user_func($this->denyCallback, null, $action); } else { $this->denyAccess($user); } return false; } /** * Denies the access of the user. * The default implementation will redirect the user to the login page if he is a guest; * if the user is already logged, a 403 HTTP exception will be thrown. * @param User|false $user the current user or boolean `false` in case of detached User component * @throws ForbiddenHttpException if the user is already logged in or in case of detached User component. */ protected function denyAccess($user) { if ($user !== false && $user->getIsGuest()) { $user->loginRequired(); } else { throw new ForbiddenHttpException(Yii::t('yii', 'You are not allowed to perform this action.')); } } } ?>