Class humhub\components\access\ControllerAccess

Inheritancehumhub\components\access\ControllerAccess » yii\base\BaseObject
Subclasseshumhub\components\access\StrictAccess, humhub\modules\content\components\ContentContainerControllerAccess
Available since version1.2.2

ControllerAccess contains the actual logic to verify whether or not a user can access a controller action by means of a given set of access rules.

By default the AccessCheck will use the current logged in user as permission subject.

The actual permission rule verification is handled by the run() function.

Subclasses can extend the set of available validators by calling registerValidator() and providing a validator setting array as:

public function init()
{
   parent::init();
   $this->registerValidator([
     self::RULE_MY_RULE => 'validateMyRule',
     'reason' => Yii::t('error', 'My validation rule could not be verified.'),
     'code' => 401
    ]);
}

The previous example registered a new validator responsible for validating rules with the name validateMyRule and validation handler function validateMyRule which defines an handler method within the subclass.

Custom Validators can also be added by means of a Validator class as in the following example:

$this->registerValidator(MyValidator::class);

where MyValidator is a subclass of humhub\components\access\AccessValidator

A single rule is provided as a array. If not specified otherwise, a rule supports the following base format:

['ruleName', 'actions' => ['action1', 'action2']]

or

['ruleName' => ['action1', action2]]

Note: the second format is not supported by all rules e.g. permission rule

If no action array is provided, the rule is considered to be controller global and will be verified for all actions.

If a rule for a given name could not be found, the ControllerAccess tries to determine a custom rule validator set by the controller itself:

['validateMyCustomRule', 'someParameter' => $value]

will search for controller validator function validateMyCustomRule:

public function validateTestRule($rule, $access)
{
    if($rule['someParameter'] == 'valid') {
         $access->code = 401;
         $access->reason = 'Not authorized!';
         return false;
    }

    return true;
}

By defining the $fixedRules array property a ControllerAccess can define rules which are always applied, this property (or getFixedRules() function may be overwritten by subclasses.

The following rules are available by default:

  • admin: The user has to be system admin to access a action
  • permission Group Permission check
  • login: The user has to be logged in to access a action
  • strict: Will check for guest users against the guest users allowed setting
  • post: Will only accept post requests for the given actions
  • json: Will handle json result requests by setting Yii::$app->response->format = 'json'
  • disabledUser: Checks if the given user is a disabled user (fixed)
  • unapprovedUser: Checks if the given user is a unapproved user (fixed)

See also humhub\components\access\AccessValidator.

Public Properties

Hide inherited properties

PropertyTypeDescriptionDefined By
$action string The controller action id to test humhub\components\access\ControllerAccess
$code integer Http code, can be changed in verify checks for specific error codes humhub\components\access\ControllerAccess
$owner \yii\web\Controller Owner object of this ControllerAccess the owner is mainly used to find custom validation handler humhub\components\access\ControllerAccess
$reason string Actual decline message, can be changed in verify checks for specific error messages humhub\components\access\ControllerAccess
$user humhub\modules\user\models\User Identity to test against humhub\components\access\ControllerAccess

Protected Properties

Hide inherited properties

PropertyTypeDescriptionDefined By
$fixedRules array Fixed rules will always be added to the current rule set humhub\components\access\ControllerAccess
$rules array Access rule array humhub\components\access\ControllerAccess
$validators array Defines all available validators, this list can be extended by calling registerValidator() humhub\components\access\ControllerAccess

Constants

Hide inherited constants

ConstantValueDescriptionDefined By
ACTION_SETTING_TYPE_BOTH 1 Allows the action rule setting by extra option ['myRule', 'actions' => ['action1', 'action2']] or immediate ['myRule' => ['action1', 'action2']] humhub\components\access\ControllerAccess
ACTION_SETTING_TYPE_OPTION_ONLY 0 Allows the action rule setting only by extra option ['myRule', 'actions' => ['action1', 'action2']] humhub\components\access\ControllerAccess
RULE_ADMIN_ONLY 'admin' Only admins have access to the given set of actions e.g.: ['admin' => ['action1']] humhub\components\access\ControllerAccess
RULE_DISABLED_USER 'disabledUser' Check guest if user is disabled humhub\components\access\ControllerAccess
RULE_JSON 'json' Make sure response type is json humhub\components\access\ControllerAccess
RULE_LOGGED_IN_ONLY 'login' Only logged in user have access e.g.: ['login' => ['action1', 'action2']] humhub\components\access\ControllerAccess
RULE_PERMISSION 'permission' Validate against a given set of permissions e.g.: ['permission' => [MyPermission::class], 'actions' => ['action1']] humhub\components\access\ControllerAccess
RULE_POST 'post' Check guest if request method is post humhub\components\access\ControllerAccess
RULE_STRICT 'strict' Check guest mode e.g.: ['strict'] (mainly used as global) humhub\components\access\ControllerAccess
RULE_UNAPPROVED_USER 'unapprovedUser' Check guest if user is unnapproved humhub\components\access\ControllerAccess

Property Details

$action public property

The controller action id to test

public string $action null
$code public property

Http code, can be changed in verify checks for specific error codes

public integer $code null
$fixedRules protected property

Fixed rules will always be added to the current rule set

protected array $fixedRules = [[self::RULE_DISABLED_USER], [self::RULE_UNAPPROVED_USER]]
$owner public property

Owner object of this ControllerAccess the owner is mainly used to find custom validation handler

public \yii\web\Controller $owner null
$reason public property

Actual decline message, can be changed in verify checks for specific error messages

public string $reason null
$rules protected property

Access rule array

protected array $rules = []
$user public property

Identity to test against

$validators protected property

Defines all available validators, this list can be extended by calling registerValidator()

protected array $validators = []

Method Details

findValidator() protected method

protected void findValidator ( $ruleName )
$ruleName
getCustomValidator() protected method

protected void getCustomValidator ( $ruleName )
$ruleName
getFixedRules() protected method

protected array getFixedRules ( )
return array

Returns array of rules which will always be added to the rule set

getName() protected method

Extracts the ruleName from a given rule option array.

protected mixed|null getName ( $arr )
$arr
getRules() public method

public array getRules ( )
return array

Set of rules

init() public method

public void init ( )
isAdmin() public method

public void isAdmin ( )
isGuest() public method

public boolean isGuest ( )
return boolean

Checks if the given $user is set.

registerValidator() protected method

Adds a new validator to the available validators and sets some default values.

A validator shoud have the following form

['ruleName' => 'handler', 'code' => 401, 'reason' => 'Some message in case the validation failed']

to allow other direct settings required by the action validator e.g. direct permission settings.

protected void registerValidator ( $options )
$options
throws \yii\base\InvalidConfigException
run() public method

Runs the current $rule setting against all available validators

public boolean run ( )
setRules() public method

Sets the current set of rules.

Note: This will merge the given set of rules with the fixed rules.

public void setRules ( $rules = [] )
$rules array

Sets th

validateAdminOnly() public method

public boolean validateAdminOnly ( )
return boolean

Makes sure the current user has administration rights

validateDisabledUser() public method

public boolean validateDisabledUser ( )
return boolean

Checks if the current user is a disabled user

validateJsonResponse() public method

public boolean validateJsonResponse ( )
return boolean

Makes sure the response type is json

validateLoggedInOnly() public method

public boolean validateLoggedInOnly ( )
return boolean

Makes sure if the current user is loggedIn

validatePostRequest() public method

public mixed validatePostRequest ( )
return mixed

Checks if the current request is a post request

validateStrictMode() public method

public boolean validateStrictMode ( )
return boolean

Checks if guest mode is activated for guestaccess

validateUnapprovedUser() public method

public boolean validateUnapprovedUser ( )
return boolean

Checks if the current user is an unapproved user