Not working beforeAction/Init in yii2



  • Hello.

    The problem is next. A standard User model and the LoginForm entry form are used for authorisation. One user, the password is reliable.

    There's a special controller who inherits other controllers for Adminka:

    <?php
    

    namespace app\components;

    use Yii;
    use yii\helpers\Url;
    use yii\web\Controller;

    /**

    • Общие настройки для контроллеров в админке. Простая реализация для одного пользователя.
      */
      class AdminController extends Controller
      {

      /**

      • Инициализация
      • @return void|\yii\web\Response
        /
        public function init()
        {
        /
        *
        • Если гость - выбрасываем на авторизацию
          */
          if (Yii::$app->user->isGuest) {
          return $this->redirect(Url::to(['/site/login']));
          };
          return parent::init();
          }
          }

    Accordingly, other counterparts expand AdminController. If I think correctly, if the user is not authorised, then it should be on the copying page. But the moment. The Acunetix automatic scanner (there is a free scanner) scanned the site and somehow managed to add footage to the site. He's definitely not able to copy - there's an attempt in the logs, but there's no good attempt.

    He makes queries on the counterer like this:

    POST /zakaz/admin/service-pages/create HTTP/1.1
    Pragma: no-cache
    Cache-Control: no-cache
    Referer: http://site.ru/zakaz/admin/service-pages/create
    Content-Length: 754
    Content-Type: application/x-www-form-urlencoded
    Cookie: _csrf=ee37cd360845f80621744bb0d66dbc7a04216f7b49080cbad121366bd108c3e9a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22rJXjLPDNob9MORGyaWQlcIKOhndjB6u-%22%3B%7D; PHPSESSID=a647d2b381203273ecbabad6377ab2a7
    Host: site.ru
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: /

    ServicePages%5bdeadline%5d=20&ServicePages%5bfirst_alt_text%5d=Acunetix&ServicePages%5bfirst_content%5d=Acunetix&ServicePages%5bfirst_title%5d=Acunetix&ServicePages%5bh1_title%5d=Mr.&ServicePages%5bimage_path%5d=biznes-plan.jpg&ServicePages%5bmeta_description%5d=20&ServicePages%5bmeta_keywords%5d=20&ServicePages%5bog_description%5d=20&ServicePage

    In the counteraller service-pages, standard sgenerated crud, only expands the AdminController class. Through the browser, it works, and this scanner's not. I tried to replace beforeAction. Gentlemen, how do we solve this problem?



  • Such things should be behavioural. This code can be added to AdminController

    public function behaviors()
    {
        return [
            'access' => [
                'class' => \yii\filters\AccessControl::className(),
                'rules' => [
                    [
                        'allow' => true,
                        'roles' => ['@'],
                    ],
                ],
            ],
        ];
    }
    

Log in to reply
 


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2