From f5778b6bf0e9a39a65f3ce6a9788e2d3ff9676b1 Mon Sep 17 00:00:00 2001
From: Alexander Makarov <sam@rmcreative.ru>
Date: Mon, 16 Sep 2013 02:46:29 +0400
Subject: [PATCH] Advanced application enhancements.

- Turned on CSRF validation by default.
- Added access control for login, signup and logout for frontend application.
- Added access control for login, logout and index for backend application.
- YII_ENV is now defined for all applications.
- No trace is writted to logs if debug is turned off.
- Added default error view for frontend and backend.
- In frontend application captcha will always ask for "testme" if YII_ENV is defined as "test".
---
 apps/advanced/backend/config/main.php              |  8 +++++-
 .../backend/controllers/SiteController.php         | 30 ++++++++++++++++++++++
 apps/advanced/backend/views/site/error.php         | 29 +++++++++++++++++++++
 .../environments/dev/backend/web/index.php         |  2 +-
 .../environments/dev/frontend/web/index.php        |  3 +--
 apps/advanced/environments/dev/yii                 |  1 +
 .../environments/prod/backend/web/index.php        |  2 +-
 .../environments/prod/frontend/web/index.php       |  3 +--
 apps/advanced/environments/prod/yii                |  1 +
 apps/advanced/frontend/config/main.php             |  8 +++++-
 .../frontend/controllers/SiteController.php        | 26 +++++++++++++++++++
 apps/advanced/frontend/views/site/error.php        | 29 +++++++++++++++++++++
 12 files changed, 134 insertions(+), 8 deletions(-)
 create mode 100644 apps/advanced/backend/views/site/error.php
 create mode 100644 apps/advanced/frontend/views/site/error.php

diff --git a/apps/advanced/backend/config/main.php b/apps/advanced/backend/config/main.php
index 377d34c..30c1825 100644
--- a/apps/advanced/backend/config/main.php
+++ b/apps/advanced/backend/config/main.php
@@ -17,13 +17,16 @@ return array(
 	'modules' => array(
 	),
 	'components' => array(
+		'request' => array(
+			'enableCsrfValidation' => true,
+		),
 		'db' => $params['components.db'],
 		'cache' => $params['components.cache'],
 		'user' => array(
-			'class' => 'yii\web\User',
 			'identityClass' => 'common\models\User',
 		),
 		'log' => array(
+			'traceLevel' => YII_DEBUG ? 3 : 0,
 			'targets' => array(
 				array(
 					'class' => 'yii\log\FileTarget',
@@ -31,6 +34,9 @@ return array(
 				),
 			),
 		),
+		'errorHandler' => array(
+			'errorAction' => 'site/error',
+		),
 	),
 	'params' => $params,
 );
diff --git a/apps/advanced/backend/controllers/SiteController.php b/apps/advanced/backend/controllers/SiteController.php
index 480406a..28f2310 100644
--- a/apps/advanced/backend/controllers/SiteController.php
+++ b/apps/advanced/backend/controllers/SiteController.php
@@ -8,6 +8,36 @@ use common\models\LoginForm;
 
 class SiteController extends Controller
 {
+	public function behaviors()
+	{
+		return array(
+			'access' => array(
+				'class' => \yii\web\AccessControl::className(),
+				'rules' => array(
+					array(
+						'actions' => array('login'),
+						'allow' => true,
+						'roles' => array('?'),
+					),
+					array(
+						'actions' => array('logout', 'index'),
+						'allow' => true,
+						'roles' => array('@'),
+					),
+				),
+			),
+		);
+	}
+
+	public function actions()
+	{
+		return array(
+			'error' => array(
+				'class' => 'yii\web\ErrorAction',
+			),
+		);
+	}
+
 	public function actionIndex()
 	{
 		return $this->render('index');
diff --git a/apps/advanced/backend/views/site/error.php b/apps/advanced/backend/views/site/error.php
new file mode 100644
index 0000000..024e27d
--- /dev/null
+++ b/apps/advanced/backend/views/site/error.php
@@ -0,0 +1,29 @@
+<?php
+
+use yii\helpers\Html;
+
+/**
+ * @var yii\base\View $this
+ * @var string $name
+ * @var string $message
+ * @var Exception $exception
+ */
+
+$this->title = $name;
+?>
+<div class="site-error">
+
+	<h1><?php echo Html::encode($this->title); ?></h1>
+
+	<div class="alert alert-danger">
+		<?php echo nl2br(Html::encode($message)); ?>
+	</div>
+
+	<p>
+		The above error occurred while the Web server was processing your request.
+	</p>
+	<p>
+		Please contact us if you think this is a server error. Thank you.
+	</p>
+
+</div>
diff --git a/apps/advanced/environments/dev/backend/web/index.php b/apps/advanced/environments/dev/backend/web/index.php
index 7d47419..2113419 100644
--- a/apps/advanced/environments/dev/backend/web/index.php
+++ b/apps/advanced/environments/dev/backend/web/index.php
@@ -1,6 +1,6 @@
 <?php
-// comment out the following line to disable debug mode
 defined('YII_DEBUG') or define('YII_DEBUG', true);
+defined('YII_ENV') or define('YII_ENV', 'dev');
 
 require(__DIR__ . '/../../vendor/autoload.php');
 require(__DIR__ . '/../../vendor/yiisoft/yii2/yii/Yii.php');
diff --git a/apps/advanced/environments/dev/frontend/web/index.php b/apps/advanced/environments/dev/frontend/web/index.php
index 82ca04c..9a7cbae 100644
--- a/apps/advanced/environments/dev/frontend/web/index.php
+++ b/apps/advanced/environments/dev/frontend/web/index.php
@@ -1,7 +1,6 @@
 <?php
-
-// comment out the following line to disable debug mode
 defined('YII_DEBUG') or define('YII_DEBUG', true);
+defined('YII_ENV') or define('YII_ENV', 'dev');
 
 require(__DIR__ . '/../../vendor/autoload.php');
 require(__DIR__ . '/../../vendor/yiisoft/yii2/yii/Yii.php');
diff --git a/apps/advanced/environments/dev/yii b/apps/advanced/environments/dev/yii
index fb08f58..9a257d7 100644
--- a/apps/advanced/environments/dev/yii
+++ b/apps/advanced/environments/dev/yii
@@ -9,6 +9,7 @@
  */
 
 defined('YII_DEBUG') or define('YII_DEBUG', true);
+defined('YII_ENV') or define('YII_ENV', 'dev');
 
 // fcgi doesn't have STDIN defined by default
 defined('STDIN') or define('STDIN', fopen('php://stdin', 'r'));
diff --git a/apps/advanced/environments/prod/backend/web/index.php b/apps/advanced/environments/prod/backend/web/index.php
index d351635..fc62a78 100644
--- a/apps/advanced/environments/prod/backend/web/index.php
+++ b/apps/advanced/environments/prod/backend/web/index.php
@@ -1,6 +1,6 @@
 <?php
-// comment out the following line to disable debug mode
 defined('YII_DEBUG') or define('YII_DEBUG', false);
+defined('YII_ENV') or define('YII_ENV', 'prod');
 
 require(__DIR__ . '/../../vendor/autoload.php');
 require(__DIR__ . '/../../vendor/yiisoft/yii2/yii/Yii.php');
diff --git a/apps/advanced/environments/prod/frontend/web/index.php b/apps/advanced/environments/prod/frontend/web/index.php
index 2276893..cbd096b 100644
--- a/apps/advanced/environments/prod/frontend/web/index.php
+++ b/apps/advanced/environments/prod/frontend/web/index.php
@@ -1,7 +1,6 @@
 <?php
-
-// comment out the following line to disable debug mode
 defined('YII_DEBUG') or define('YII_DEBUG', false);
+defined('YII_ENV') or define('YII_ENV', 'prod');
 
 require(__DIR__ . '/../../vendor/autoload.php');
 require(__DIR__ . '/../../vendor/yiisoft/yii2/yii/Yii.php');
diff --git a/apps/advanced/environments/prod/yii b/apps/advanced/environments/prod/yii
index c672e22..7f24a70 100644
--- a/apps/advanced/environments/prod/yii
+++ b/apps/advanced/environments/prod/yii
@@ -9,6 +9,7 @@
  */
 
 defined('YII_DEBUG') or define('YII_DEBUG', false);
+defined('YII_ENV') or define('YII_ENV', 'prod');
 
 // fcgi doesn't have STDIN defined by default
 defined('STDIN') or define('STDIN', fopen('php://stdin', 'r'));
diff --git a/apps/advanced/frontend/config/main.php b/apps/advanced/frontend/config/main.php
index ca4a734..975a3b4 100644
--- a/apps/advanced/frontend/config/main.php
+++ b/apps/advanced/frontend/config/main.php
@@ -17,13 +17,16 @@ return array(
 		'gii' => 'yii\gii\Module'
 	),
 	'components' => array(
+		'request' => array(
+			'enableCsrfValidation' => true,
+		),
 		'db' => $params['components.db'],
 		'cache' => $params['components.cache'],
 		'user' => array(
-			'class' => 'yii\web\User',
 			'identityClass' => 'common\models\User',
 		),
 		'log' => array(
+			'traceLevel' => YII_DEBUG ? 3 : 0,
 			'targets' => array(
 				array(
 					'class' => 'yii\log\FileTarget',
@@ -31,6 +34,9 @@ return array(
 				),
 			),
 		),
+		'errorHandler' => array(
+			'errorAction' => 'site/error',
+		),
 	),
 	'params' => $params,
 );
diff --git a/apps/advanced/frontend/controllers/SiteController.php b/apps/advanced/frontend/controllers/SiteController.php
index 0c1b2f5..be9a634 100644
--- a/apps/advanced/frontend/controllers/SiteController.php
+++ b/apps/advanced/frontend/controllers/SiteController.php
@@ -12,11 +12,37 @@ use yii\helpers\Security;
 
 class SiteController extends Controller
 {
+	public function behaviors()
+	{
+		return array(
+			'access' => array(
+				'class' => \yii\web\AccessControl::className(),
+				'only' => array('login', 'logout', 'signup'),
+				'rules' => array(
+					array(
+						'actions' => array('login', 'signup'),
+						'allow' => true,
+						'roles' => array('?'),
+					),
+					array(
+						'actions' => array('logout'),
+						'allow' => true,
+						'roles' => array('@'),
+					),
+				),
+			),
+		);
+	}
+
 	public function actions()
 	{
 		return array(
+			'error' => array(
+				'class' => 'yii\web\ErrorAction',
+			),
 			'captcha' => array(
 				'class' => 'yii\captcha\CaptchaAction',
+				'fixedVerifyCode' => YII_ENV_TEST ? 'testme' : null,
 			),
 		);
 	}
diff --git a/apps/advanced/frontend/views/site/error.php b/apps/advanced/frontend/views/site/error.php
new file mode 100644
index 0000000..024e27d
--- /dev/null
+++ b/apps/advanced/frontend/views/site/error.php
@@ -0,0 +1,29 @@
+<?php
+
+use yii\helpers\Html;
+
+/**
+ * @var yii\base\View $this
+ * @var string $name
+ * @var string $message
+ * @var Exception $exception
+ */
+
+$this->title = $name;
+?>
+<div class="site-error">
+
+	<h1><?php echo Html::encode($this->title); ?></h1>
+
+	<div class="alert alert-danger">
+		<?php echo nl2br(Html::encode($message)); ?>
+	</div>
+
+	<p>
+		The above error occurred while the Web server was processing your request.
+	</p>
+	<p>
+		Please contact us if you think this is a server error. Thank you.
+	</p>
+
+</div>