I have a backend project on my ssl server, like ssl.mybackend.com, with following:
class FormController extends Controller
{
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'rules' => [
[
'actions' => ['index', 'delete', 'view', 'create'],
'allow' => true,
'roles' => ['@'], //only authorized users
],
[
'actions'=> ['create-order'],
'allow'=>true //change all users to "myfrontend.com"
]
],
],
];
}
I need to grant an access to create-order action only to my frontend website. I am not sure if it's possible to do with AccessControl and appreciate if you could advise other solutions.
If you want to use ajax calls from frontend on another domain, you should use corsFilter instead. Example from documentation:
public function behaviors()
{
return [
'corsFilter' => [
'class' => \yii\filters\Cors::className(),
'cors' => [
// restrict access to
'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'],
'Access-Control-Request-Method' => ['POST', 'PUT'],
// Allow only POST and PUT methods
'Access-Control-Request-Headers' => ['X-Wsse'],
// Allow only headers 'X-Wsse'
'Access-Control-Allow-Credentials' => true,
// Allow OPTIONS caching
'Access-Control-Max-Age' => 3600,
// Allow the X-Pagination-Current-Page header to be exposed to the browser.
'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'],
],
],
];
}