From f5e5f20e15e7e5f33a48c669d588aa3aaf07d5cd Mon Sep 17 00:00:00 2001 From: Dezinger Date: Sat, 18 Nov 2017 23:02:27 +0300 Subject: [PATCH 1/2] Security fix: add AccessControl to RuleController --- src/User/Controller/RuleController.php | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/User/Controller/RuleController.php b/src/User/Controller/RuleController.php index dbce6c2..ccd6134 100644 --- a/src/User/Controller/RuleController.php +++ b/src/User/Controller/RuleController.php @@ -17,10 +17,12 @@ use Da\User\Service\AuthRuleEditionService; use Da\User\Traits\AuthManagerAwareTrait; use Da\User\Traits\ContainerAwareTrait; use Da\User\Validator\AjaxRequestModelValidator; +use Da\User\Filter\AccessRuleFilter; use Yii; use yii\filters\VerbFilter; use yii\web\Controller; use yii\web\NotFoundHttpException; +use yii\filters\AccessControl; class RuleController extends Controller { @@ -33,12 +35,24 @@ class RuleController extends Controller public function behaviors() { return [ - [ + 'verbs' => [ 'class' => VerbFilter::className(), 'actions' => [ 'delete' => ['POST'], ], - ] + ], + 'access' => [ + 'class' => AccessControl::className(), + 'ruleConfig' => [ + 'class' => AccessRuleFilter::className(), + ], + 'rules' => [ + [ + 'allow' => true, + 'roles' => ['admin'], + ], + ], + ], ]; } From 3718ae5332f4c24dbb95c291f0769c59883f2ce4 Mon Sep 17 00:00:00 2001 From: Dezinger Date: Wed, 22 Nov 2017 21:16:50 +0300 Subject: [PATCH 2/2] #119 Add to changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4fbd66c..0145366 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # CHANGELOG ## 1.1.1 - Work in progress +- Bug #119: Security fix: add AccessControl to RuleController (Dezinger) - Bug #111: Fix migration for PostgreSQL DBMS (MKiselev) - Bug #106: Correct exception value returned in `MailEvent::getException` (kartik-v) - Enh #99: Added German translation (jkmssoft)