How to Program With Yii2: User Access Controls

Access control integrates with the framework’s authentication features to allow or restrict access to specific features or pages of your website.

The code we’ve written thus far allows anyone to create posts even if they haven’t signed in. For example, in our sample application, you can visit the Status page and post items without signing in.

We can use Yii2’s simple access control features to ensure that users register and sign in before adding and viewing status posts.

Yii2 also offers more advanced (and complex) Role Based Access Control (RBAC) which we will not be implementing at this time. With RBAC, you define a sophisticated hierarchy of permissions for each possible activity within your application.

Yii2’s built in Access Control supports only two roles by default: guest (not logged in), represented by ‘?’, and authenticated, represented by ‘@’. With simple access controls, we can just limit access to specific pages or controller actions based on the login state. If users are not logged in when they visit the place pages, Yii will redirect them to the login page.

In this tutorial, I’ll introduce you to using Yii2’s simple access controls for our sample application. Then we’ll extend simple access with additional roles such as moderator and administrator.

Yii2 Advanced Template does not contain “role” column in the User table by default. Before proceeding to the tutorial below, do the following:

  1. Create a column called role in the user table.
  2. Update the User model by adding the role attribute and updating the User class docblock accordingly.

Yii 2.0 has a built in Access Control that supports 2 roles out of the box to check whether the user is a guest or if the user is logged in. Sometimes there is a need to simply extend the Access Control Layer with few more roles to distinguish the logged in users i.e. admin, moderator, without the full blown RBAC graph with permissions, roles and role assignments that Yii provides.

In this post, I will show how to implement simple Role Based authorization by simply extending the AccessRule class that defines the default rules and overriding the matchRule() function call, which will provide the additional rule matching logic.

I will be using the advanced template, but you can adapt the code to basic template without much difficulty. The concept remains the same in both.

Let’s start by defining our roles. I will be creating 2 new roles, namely Admin and Moderator, in addition to the existing User role. These roles will allow us to distinguish the roles of the logged in users, and also allow us to restrict access to different parts of the application depending on the role assigned to the user.

Let’s get started with some code.

  • Create a AccessRule class that extends the \yii\filters\AccessRule class. I have chosen to do so inside the common\components namespace. You may need to create the components folder inside common folder. Populate common\components\AccessRule.php with the following code:

Here we are overriding the matchRole() function. Much of the matchRole() code is copied from the \yii\filters\AccessRule class except we have now changed the last elseif-statement to match the role supplied inside the controller with the role defined in the database and the User model.

  • Inside the common/models/User.php, we will define our new roles. There is already a  const ROLE_USER = 10;  in the User model. We will add our new roles right below it so that our role constants look like this:

  • Now it’s time to use our new roles inside the controller. To use the new roles, we will use the new AccessRule component and make slight changes to the access behavior. Add the following use statements on top of your controller:

Edit the access behavior as follows:

In the above example, we are first overriding the ruleConfig of the access behavior with our new AccessRule class. Then there are 3 actions create, update and delete which are controlled by our new AccessRule class and the following rules are applied.

  • create action is available to User, Moderator and Admin roles.
  • update actions is available to Moderator and Admin roles.
  • delete action is only available to the Admin role.

There you have it. Clean and simple role based authorization for applications that require more than simple logged-in check, but don’t require full blown Role Based Access Control provided by Yii 2.0.


Prakash S

Prakash S

I would like to introduce myself as a Software professional opting for the career in software industry. I'm Prakash S, a MCA graduate and trained as industry level practice for Software technology. Basically I am a PHP Developer but now days exploring more in HTML5, CSS, AngularJS and jQuery libraries.