leonardo/yii2-usuario
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security fix: add AccessControl to RuleController

Browse Source
This commit is contained in:
Dezinger
2017-11-18 23:02:27 +03:00
parent 17c775d193
commit f5e5f20e15
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/User/Controller/RuleController.php
View File

@ -17,10 +17,12 @@ use Da\User\Service\AuthRuleEditionService;
use Da\User\Traits\AuthManagerAwareTrait; use Da\User\Traits\AuthManagerAwareTrait;
use Da\User\Traits\ContainerAwareTrait; use Da\User\Traits\ContainerAwareTrait;
use Da\User\Validator\AjaxRequestModelValidator; use Da\User\Validator\AjaxRequestModelValidator;
use Da\User\Filter\AccessRuleFilter;
use Yii; use Yii;
use yii\filters\VerbFilter; use yii\filters\VerbFilter;
use yii\web\Controller; use yii\web\Controller;
use yii\web\NotFoundHttpException; use yii\web\NotFoundHttpException;
use yii\filters\AccessControl;
class RuleController extends Controller class RuleController extends Controller
{ {
@ -33,12 +35,24 @@ class RuleController extends Controller
public function behaviors() public function behaviors()
{ {
return [ return [
[ 'verbs' => [
'class' => VerbFilter::className(), 'class' => VerbFilter::className(),
'actions' => [ 'actions' => [
'delete' => ['POST'], 'delete' => ['POST'],
], ],
] ],
'access' => [
'class' => AccessControl::className(),
'ruleConfig' => [
'class' => AccessRuleFilter::className(),
],
'rules' => [
[
'allow' => true,
'roles' => ['admin'],
],
],
],
]; ];
} }