3

I am using Yii 1.13 framework for my project, I need "gii" code generator but I want to restrict it for admin user only, How can I achieve this ?

Ganesh Ghalame
  • 6,367
  • 3
  • 24
  • 29
  • 1
    gii is a developer tool and and should not normally be made available to authenticated users. Look at implementing .htaccess to restrict all access for your production server, or delete the functions from your live deployment. – crafter May 01 '15 at 11:55

2 Answers2

2

Follow the below steps:-

  1. Copy the gii module from system.gii i.e framework/gii
  2. Paste it inside the protected/modules folder of project.
  3. Make the following changes in the GiiModule.php in your gii module.

Change this 

public function beforeControllerAction($controller, $action)
    {   

      if(parent::beforeControllerAction($controller, $action))
        {
            $route=$controller->id.'/'.$action->id;
            if(!$this->allowIp(Yii::app()->request->userHostAddress) && $route!=='default/error')
                throw new CHttpException(403,"You are not allowed to access this page.");

           $publicPages=array(
                'default/login',
                'default/error',
            );

           if(Yii::app()->user->isGuest  && !in_array($route,$publicPages))
                   Yii::app()->user->loginRequired();
            // check your admin conditions here
           elseif(!isset(Yii::app()->user->isAdmin) || !Yii::app()->user->isAdmin)
                   throw new CHttpException(403,"You are not allowed to access this page.");
            else
                return true;
          }
        return false;
    }

  1. In your config/main.php

    'modules' => array( 'gii'=>array( 'class'=>'application.modules.gii.GiiModule', 'password'=> Your password, 'ipFilters'=>array('127.0.0.1','::1'), ), ),

Note:- I haven't tested it. But it might give you an idea about how to proceed.

Let me see
  • 5,063
  • 9
  • 34
  • 47
0

You can restrict user by IP or choose a password for Gii tool according to it's documentation

return array(
    ......
    'modules'=>array(
        'gii'=>array(
            'class'=>'system.gii.GiiModule',
            'password'=>'pick up a password here',
            // 'ipFilters'=>array(...a list of IPs...),
        ),
    ),
);
Touqeer Shafi
  • 5,084
  • 3
  • 28
  • 45
  • This is not what OP is asking. Even if an unauthenticated user knows the password, he can use the Gii tool. – Let me see Apr 30 '15 at 04:46
  • @Touqeer Shafi I know IP based filter but if normal user knows password he can easily access, I want to prevent normal user from accessing "gii" even login page – Ganesh Ghalame Apr 30 '15 at 06:58
  • @GaneshGhalame how will normal user knows password for gii tool, as this password was saved in your config files ? – Touqeer Shafi Apr 30 '15 at 07:17
  • @Touqeer Shafi, My question is disabling the module, even though normal user knows or doesn't know the password he can access the "gii" login page, why should system show them the even login page as of logically when not authorized. – Ganesh Ghalame Apr 30 '15 at 07:31
  • 2
    @GaneshGhalame Gii tool is created only for development purpose it is not recommended that you use it on production server. so just remove it from the modules array in config files that make sense ? – Touqeer Shafi Apr 30 '15 at 07:42