From f5e5f20e15e7e5f33a48c669d588aa3aaf07d5cd Mon Sep 17 00:00:00 2001
From: Dezinger <dezinger@gmail.com>
Date: Sat, 18 Nov 2017 23:02:27 +0300
Subject: [PATCH] Security fix: add AccessControl to RuleController

---
 src/User/Controller/RuleController.php | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/User/Controller/RuleController.php b/src/User/Controller/RuleController.php
index dbce6c2..ccd6134 100644
--- a/src/User/Controller/RuleController.php
+++ b/src/User/Controller/RuleController.php
@@ -17,10 +17,12 @@ use Da\User\Service\AuthRuleEditionService;
 use Da\User\Traits\AuthManagerAwareTrait;
 use Da\User\Traits\ContainerAwareTrait;
 use Da\User\Validator\AjaxRequestModelValidator;
+use Da\User\Filter\AccessRuleFilter;
 use Yii;
 use yii\filters\VerbFilter;
 use yii\web\Controller;
 use yii\web\NotFoundHttpException;
+use yii\filters\AccessControl;
 
 class RuleController extends Controller
 {
@@ -33,12 +35,24 @@ class RuleController extends Controller
     public function behaviors()
     {
         return [
-            [
+            'verbs' => [
                 'class' => VerbFilter::className(),
                 'actions' => [
                     'delete' => ['POST'],
                 ],
-            ]
+            ],
+            'access' => [
+                'class' => AccessControl::className(),
+                'ruleConfig' => [
+                    'class' => AccessRuleFilter::className(),
+                ],
+                'rules' => [
+                    [
+                        'allow' => true,
+                        'roles' => ['admin'],
+                    ],
+                ],
+            ],
         ];
     }