Fixes issue #579: AccessControl deny rule by default

docs/guide/upgrade-from-v1.md

@@ -288,7 +288,6 @@ public function behaviors()
             'class' => 'yii\web\AccessControl',
             'rules' => array(
                 array('allow' => true, 'actions' => array('admin'), 'roles' => array('@')),
-                array('allow' => false),
             ),
         ),
     );

framework/yii/web/AccessControl.php

@@ -17,7 +17,7 @@ use yii\base\ActionFilter;
  * AccessControl is an action filter. It will check its [[rules]] to find
  * the first rule that matches the current context variables (such as user IP address, user role).
  * The matching rule will dictate whether to allow or deny the access to the requested controller
- * action.
+ * action. If no rule matches, the access will be denied.
  *
  * To use AccessControl, declare it in the `behaviors()` method of your controller class.
  * For example, the following declarations will allow authenticated users to access the "create"
@@ -105,7 +105,7 @@ class AccessControl extends ActionFilter
 		/** @var $rule AccessRule */
 		foreach ($this->rules as $rule) {
 			if ($allow = $rule->allows($action, $user, $request)) {
-				break;
+				return true;
 			} elseif ($allow === false) {
 				if (isset($rule->denyCallback)) {
 					call_user_func($rule->denyCallback, $rule);
@@ -117,7 +117,7 @@ class AccessControl extends ActionFilter
 				return false;
 			}
 		}
-		return true;
+		return false;
 	}
 
 	/**