Yii Authorization and Access Control Best Practices

Last updated:

There are a few posts on this website that deal with authorization and access controlling on Yii but they are mostly related to the module I (and I think he majority of Yii users) use, which is the awesome Yii rights module written by Cniska.

This post is, however, a collection of best practices and tips and tricks on the theme Access control and Authorization on Yii, but not necessarily bound to Rights module.

Error viewing

The default Yii way to handle errors is to call the site/error view, which uses the app's layout to inform the user about the error that's occurred. However, don't forget to:

  • allow **all users to view the site/error action. If a user gets a **403 forbidden exception thrown, he/she will get redirected to site/error action but, if you haven't allowed him/her to view it, he won't be able to. Site/error is an action like all others and, for users to be able to view it, you must enable it.

  • don't forget to set a layout for the site/error view. Otherwise the user will get shown a blank page with just a <h2> tag which is very ugly and it looks very amateurish.

Dialogue & Discussion