Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AccessControl deny rule by default #579

Closed
creocoder opened this Issue Jun 24, 2013 · 11 comments

Comments

Projects
None yet
8 participants
@creocoder
Copy link
Contributor

creocoder commented Jun 24, 2013

Since its bad practice to make last rule as allow we can make deny rule as last default. It allow us not define last rule and be always in secure.

@samdark

This comment has been minimized.

Copy link
Member

samdark commented Jun 24, 2013

I'm for it. See no valid use-cases for blacklisting approach.

@resurtm

This comment has been minimized.

Copy link
Contributor

resurtm commented Jun 24, 2013

+1. I always use deny-by-default behavior.

@Ragazzo

This comment has been minimized.

Copy link
Contributor

Ragazzo commented Jun 24, 2013

good feature.

@rawtaz

This comment has been minimized.

Copy link
Contributor

rawtaz commented Jun 24, 2013

+1. The default for access rules should definately be deny, and one will have to explicitly allow that which one want to give access to.

@qiangxue

This comment has been minimized.

Copy link
Member

qiangxue commented Jun 24, 2013

I don't think we should make this change.

  • Both defaults are equivalent in theory. This is like AllowOrder in Apache config.
  • Existing Yii users are familiar with the current behavior. And this behavior was actually from .NET originally.
@samdark

This comment has been minimized.

Copy link
Member

samdark commented Jun 24, 2013

Even in classic papers it's not recommended to use blacklisting approach for access control. I don't think we need any flexibility there. I see no valid usecases for blacklisting.

We should not care about BC if we can improve things.

@rawtaz

This comment has been minimized.

Copy link
Contributor

rawtaz commented Jun 24, 2013

+1 regarding not having to care about BC. Now is the time to make this change, not later.

@theTechGuyy

This comment has been minimized.

Copy link

theTechGuyy commented Jun 24, 2013

+1 for Whitelisting approach

@rawtaz

This comment has been minimized.

Copy link
Contributor

rawtaz commented Jun 24, 2013

Even though I don't have any formal statistics, I'd argue that it is clearly way more common to add access filtering with the purpose of only allowing certain users/whatever, rather than for the purpose of denying only certain users/whatever. I think everyone can relate to that as well.

@slavcodev

This comment has been minimized.

Copy link
Contributor

slavcodev commented Jun 24, 2013

One more vote to Whitelisting. It's minus one rule in most accessControl config ))

qiangxue added a commit that referenced this issue Jun 25, 2013

@qiangxue

This comment has been minimized.

Copy link
Member

qiangxue commented Jun 25, 2013

Alright. I'm convinced. Changes made. Thanks!

@qiangxue qiangxue closed this Jun 25, 2013

@ghost ghost assigned qiangxue Jun 25, 2013

qiansen1386 pushed a commit to qiansen1386/yii2 that referenced this issue Mar 9, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.