Yii - User defined rules for Access rights

 Yii Access Control Rules

A key part of a web application is access security. Who can see what data, who can do what actions. Within Yii the first layer of access security is defined within the controller where access control rules are defined for each action. The default access rules created by the code generator in Gii are ;
  1. 'All Users' - anybody is allowed to access these functions, which would relate to all visitors to your website
  2. 'Authenticated User' - those users which have logged in using whatever user authentication system you have chosen to use
  3. 'Admin' User - in fact this means a User called admin rather than any user defined as a super-user!
However, using other parameters of the accessRules you can setup more advanced security algorithms.  


The expression property allows you to define a function that will be called resulting in a true or false responses to whether the current user is able to access the listed functions. For example, in the following code I have setup a function within the same controller called isAdmin which returns true or false as to whether the current user has super-user pivileges.  
	 * Specifies the access control rules.
	 * This method is used by the 'accessControl' filter.
	 * @return array access control rules
	public function accessRules()
		return array(
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('delete', 'admin'),

IP address

The ips property will restrict access to a certain list of ip addresses:-
			array('allow', // allow admin user to perform 'admin' and 'delete' actions
				'actions'=>array('delete', 'admin'),

Further Access Rules

The Yii documentation mentions other rules as follows:-
  'allow',  // or 'deny'
  // optional, list of action IDs (case insensitive) that this rule applies to
  // if not specified, rule applies to all actions
  'actions'=>array('edit', 'delete'),
  // optional, list of controller IDs (case insensitive) that this rule applies to
  'controllers'=>array('post', 'admin/user'),
  // optional, list of usernames (case insensitive) that this rule applies to
  // Use * to represent all users, ? guest users, and @ authenticated users
  'users'=>array('thomas', 'kevin'),
  // optional, list of roles (case sensitive!) that this rule applies to.
  'roles'=>array('admin', 'editor'),
  // optional, list of IP address/patterns that this rule applies to
  // e.g., 127.0.0.*
  // optional, list of request types (case insensitive) that this rule applies to
  'verbs'=>array('GET', 'POST'),
  // optional, a PHP expression whose value indicates whether this rule applies
  'expression'=>'!$user->isGuest && $user->level==2',
  // optional, the customized error message to be displayed
  // This option is available since version 1.1.1.
  'message'=>'Access Denied.',
If you have any useful rules, please feel free to share them below...   See also: isAdmin()

Did you know you can hire me?

I take on projects of all sizes. From Consulting to large Development Projects.

If you're starting a new Yii project and would like some help to get setup and running or you need some help with a particular module or you just need someone to develop the whole dang thing, then just ask ...


  • chris

    Hi Ravi

    Thanks for your input - it looks very interesting. I shall have to try it out.


  • raviverma.5688

    Below is another available option in these rules:

    // optional, the denied method callback name, that will be called once the

    // access is denied, instead of showing the customized error message. It can also be

    // a valid PHP callback, including class method name (array(ClassName/Object, MethodName)),

    // or anonymous function (PHP 5.3.0+). The function/method signature should be as follows:

    // function foo($user, $rule) { ... }

    // where $user is the current application user object and $rule is this access rule.

    // This option is available since version 1.1.11.


Leave a Comment

twitterfacebookgooglelinkedin https://me.yahoo.com