Yii2: Redirect loop when using role based access and IP restrictions
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['logout', 'index'],
'allow' => true,
'ips' => \Yii::$app->params['secureIps'],
'roles' => ['@'],
],
[
'allow' => true,
'actions' => ['login'],
'ips' => \Yii::$app->params['secureIps'],
'roles' => ['?'],
],
[
'allow' => true,
'actions' => ['error']
],
],
],
'verbs' => [
'class' => VerbFilter::className(),
'actions' => [
'logout' => ['post'],
],
],
];
}
When trying to access any URL I'm redirected to site/login and it continues to redirect to site/login instead of showing an error that I shouldn't be allowed to do any of that. Seems like the role check is executed before the ips check?
When the user is logged in but from a non secure IP I see a the right error view.
bug
peeter-tomberg
All 4 comments
Try this
[
'allow' => true,
'actions' => ['login'],
'ips' => \Yii::$app->params['secureIps'],
'roles' => ['?'],
'danyCallback' => function(){
throw new ForbiddenHttpException(Yii::t('yii', 'You are not allowed to perform this action.'));
}
],
mdmunir
on 2 Sep 2014
denyCallback is never called.
peeter-tomberg
on 2 Sep 2014
Fixed. Now you'll get 403 instead of redirect loop in this case.
samdark
on 7 Nov 2014
Please use forums for questions. GitHub is for bug requests. Thanks!
samdark
on 1 Sep 2016
👍5
👎2
❤1
😕1
🎉1
😄1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
Locustv2
路
3Comments
kminooie
路
3Comments
jpodpro
路
3Comments
sobit
路
3Comments
cyberinferno
路
3Comments
Most helpful comment
Please use forums for questions. GitHub is for bug requests. Thanks!