Merge pull request #114 from Dezinger/secfix_access_rulecontroller

#119 Security fix: add AccessControl to RuleController
2017-11-23 22:41:04 +01:00
parent b875093ff6 67dec04d79
commit 49d9780e31
2 changed files with 17 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,7 @@
 # CHANGELOG

 ## 1.1.1 - Work in progress
+- Bug #119: Security fix: add AccessControl to RuleController (Dezinger)
 - Enh #120: 2FA i18n russian translation (Dezinger)
 - Bug #111: Fix migration for PostgreSQL DBMS (MKiselev)
 - Bug #106: Correct exception value returned in `MailEvent::getException` (kartik-v)
--- a/src/User/Controller/RuleController.php
+++ b/src/User/Controller/RuleController.php
@ -17,10 +17,12 @@ use Da\User\Service\AuthRuleEditionService;
 use Da\User\Traits\AuthManagerAwareTrait;
 use Da\User\Traits\ContainerAwareTrait;
 use Da\User\Validator\AjaxRequestModelValidator;
+use Da\User\Filter\AccessRuleFilter;
 use Yii;
 use yii\filters\VerbFilter;
 use yii\web\Controller;
 use yii\web\NotFoundHttpException;
+use yii\filters\AccessControl;

 class RuleController extends Controller
 {
@ -33,12 +35,24 @@ class RuleController extends Controller
    public function behaviors()
    {
        return [
-            [
+            'verbs' => [
                'class' => VerbFilter::className(),
                'actions' => [
                    'delete' => ['POST'],
                ],
-            ]
+            ],
+            'access' => [
+                'class' => AccessControl::className(),
+                'ruleConfig' => [
+                    'class' => AccessRuleFilter::className(),
+                ],
+                'rules' => [
+                    [
+                        'allow' => true,
+                        'roles' => ['admin'],
+                    ],
+                ],
+            ],
        ];
    }