I'm using yii2-admin and yii2-user. I've created a role Creator who have access to the everything. There is another role called Admin who have limited access. But have the power to delete users. Now I want to restrict Admin from deleting Creator. I know that this can be achieved by overriding the delete function of the AdminController of yii2-user. But I cannot figure out the logic of restricting Admin or any other user from deleting Creator.
Thanks in advance!
分享 Take a look here: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#access-control-filter The only thing that you need to do is to limit the access to the delete function to people who have the Creator role. All others will not be able to delete anything.
your function should look like
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
........
[
'actions' => ['save', 'update', 'status', 'activate-all', 'deactivate-all'], // Define specific actions
'allow' => true, // Has access
'roles' => ['Admin', 'Creator'],
],
[
'actions' => ['delete', 'delete-all'], // Define specific actions
'allow' => true, // Has access
'roles' => ['Creator'],
],
[
'allow' => false, // Do not have access
'roles' => ['?'], // Guests '?'
],
],
],
];
}
This is just an example, modify it to suit your own needs. Probably you should not allow an Admin to edit a Creator too as changing the password would be almost the same thing as deleting.
分享
