From 051822075eebab9a274d061c603dd048fcfe77a3 Mon Sep 17 00:00:00 2001 From: Qiang Xue Date: Mon, 24 Jun 2013 21:04:44 -0400 Subject: [PATCH] Fixes issue #579: AccessControl deny rule by default --- docs/guide/upgrade-from-v1.md | 1 - framework/yii/web/AccessControl.php | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/guide/upgrade-from-v1.md b/docs/guide/upgrade-from-v1.md index ebfe94b..66bce10 100644 --- a/docs/guide/upgrade-from-v1.md +++ b/docs/guide/upgrade-from-v1.md @@ -288,7 +288,6 @@ public function behaviors() 'class' => 'yii\web\AccessControl', 'rules' => array( array('allow' => true, 'actions' => array('admin'), 'roles' => array('@')), - array('allow' => false), ), ), ); diff --git a/framework/yii/web/AccessControl.php b/framework/yii/web/AccessControl.php index 3af2adc..35d6cae 100644 --- a/framework/yii/web/AccessControl.php +++ b/framework/yii/web/AccessControl.php @@ -17,7 +17,7 @@ use yii\base\ActionFilter; * AccessControl is an action filter. It will check its [[rules]] to find * the first rule that matches the current context variables (such as user IP address, user role). * The matching rule will dictate whether to allow or deny the access to the requested controller - * action. + * action. If no rule matches, the access will be denied. * * To use AccessControl, declare it in the `behaviors()` method of your controller class. * For example, the following declarations will allow authenticated users to access the "create" @@ -105,7 +105,7 @@ class AccessControl extends ActionFilter /** @var $rule AccessRule */ foreach ($this->rules as $rule) { if ($allow = $rule->allows($action, $user, $request)) { - break; + return true; } elseif ($allow === false) { if (isset($rule->denyCallback)) { call_user_func($rule->denyCallback, $rule); @@ -117,7 +117,7 @@ class AccessControl extends ActionFilter return false; } } - return true; + return false; } /**