Access and Assignment issue with REST API #455
Description
hi, I just created REST API and want to use yii2-admin as control for API access, is it possible to do it with this module??
I tried to add AccessControl component to API controller, it recognize the user is logged in, but not recognize the user assignment and keep showing me 403 response, even the user has right assignment for the URL..
but if I remove the access part from controller behavior, it works but no restriction to user assignment..
this is my config, main.php :
<?php
$params = array_merge(
require __DIR__ . '/../../common/config/params.php',
require __DIR__ . '/../../common/config/params-local.php',
require __DIR__ . '/params.php'
);
return [
'id' => 'app-api',
'basePath' => dirname(__DIR__),
'bootstrap' => ['log'],
'modules' => [
'v1' => [
'basePath' => '@app/modules/v1',
'class' => 'api\modules\v1\Module'
],
],
'components' => [
'authManager' => [
'class' => 'yii\rbac\DbManager',
'defaultRoles' => ['guest'],
],
'user' => [
'identityClass' => 'common\models\User',
'loginUrl' => null,
'enableAutoLogin' => false,
'enableSession' => false,
],
'log' => [
'targets' => [
[
'class' => 'yii\log\FileTarget',
'levels' => ['error', 'warning'],
],
],
],
'request' => [
'parsers' => [
'application/json' => 'yii\web\JsonParser',
]
],
'urlManager' => [
'enablePrettyUrl' => true,
'showScriptName' => false,
'rules' => [
[
'pluralize' => false,
'class' => 'yii\rest\UrlRule',
'controller' => 'v1/data-satuan',
],
]
],
],
'params' => $params,
];
this is index.php :
<?php
defined('YII_DEBUG') or define('YII_DEBUG', true);
defined('YII_ENV') or define('YII_ENV', 'dev');
require(__DIR__ . '/../../vendor/autoload.php');
require(__DIR__ . '/../../vendor/yiisoft/yii2/Yii.php');
require(__DIR__ . '/../../common/config/bootstrap.php');
$config = yii\helpers\ArrayHelper::merge(
require(__DIR__ . '/../../common/config/main-local.php'),
require(__DIR__ . '/../config/main.php'),
require(__DIR__ . '/../config/main-local.php')
);
(new yii\web\Application($config))->run();
and this is the controller :
<?php
namespace api\modules\v1\controllers;
use Yii;
use yii\rest\ActiveController;
use yii\filters\Cors;
use yii\filters\VerbFilter;
use yii\filters\auth\HttpBearerAuth;
use mdm\admin\components\AccessControl;
/**
* DataSatuan Controller API
*/
class DataSatuanController extends ActiveController
{
public $modelClass = 'common\models\DataSatuan';
public function behaviors()
{
$behaviors = parent::behaviors();
$auth = $behaviors['authenticator'];
$auth['authMethods'] = [
HttpBearerAuth::class
];
unset($behaviors['authenticator']);
$behaviors['cors'] = [
'class' => Cors::class
];
$behaviors['authenticator'] = $auth;
$behaviors['access'] = [
'class' => AccessControl::className(),
];
return $behaviors;
}
public function actions()
{
$actions = parent::actions();
unset($actions['index']);
return $actions;
}
public function actionIndex(){
$activeData = new \yii\data\ActiveDataProvider([
'query' => \common\models\DataSatuan::find(),
// 'pagination' => false
// 'pagination' => ['pageSize' => 0]
// 'pagination' => ['defaultPageSize' => 40]
]);
return $activeData;
}
}
and this is the response from cURL :
{
"name": "Forbidden",
"message": "You are not allowed to perform this action.",
"code": 0,
"status": 403,
"type": "yii\\web\\ForbiddenHttpException"
}
is there anything wrong or anything I can do to make this module work in REST API??