Check this tutorial if you want to create user login in yii 2

Yii has two methods to authorize users: ACF and RBAC.


The first one, ACF, is used in applications that require a minimal and simple access control. Basically, its behavior is based on five parameters:

  • allow: This parameter specifies whether this is an allow or deny rule; possible values are allow or deny
  • actions: This parameter specifies which actions this rule matches, and they are declared using an array of string
  • roles: This parameter specifies which user roles this rule matches; possible values are ?‘ and @, which mean respectively guest user and authenticated user
  • ips: This parameter specifies which client IP address this rule matches; the IP address that can contain * as a wildcard
  • verbs: This parameter specifies which verb (request method) this rules matches

By default, if no rule matches, access will be denied.

ACF is enabled by overwriting the behaviors() method of Controller and populating its access property with the content of some (or every one) of the preceding parameters.

    public function behaviors()
        return [
            'access' => [
                'class' => AccessControl::className(),
                'only' => ['login', 'logout', 'signup', 'index'],
                'rules' => [
                        'allow' => true,
                        'actions' => ['login', 'signup', 'index'],
                        'roles' => ['?'],
                        'allow' => true,
                        'actions' => ['logout'],
                        'roles' => ['@'],

In this example, the login, logout, signup, and index actions are enabled for guest users (all users) and the logout action is enabled only for authenticated ones.

ACF has many other parameters that can be defined, such as controllers , to define which controllers this rule matches (if it is empty, this means all controllers); matchCallback whose value is a PHP callable function called to verify whether this rule can be applied or not; and finally denyCallback, whose value is a PHP callable function used when this rule will deny access.

When a rule is denied, there are two different behaviors according to the role of the user. If a guest is denied, a denied rule will call the yiiwebUser::loginRequired() method to redirect the user’s browser to the login page; if the user is authenticated, it will throw a yiiwebForbiddenHttpException exception.

This behavior can be customized using the denyCallback property mentioned earlier, and by defining the correct callable PHP function.

Obviously, any detail about the logged in user is not considered by this type of authorization. During configuration in the behaviors() method, in fact, no detail about the user ever appears (for example, role). So we cannot define more precisely which conditions a user can execute or not a controller action.

ACF suggests only if we have to limit access to an authenticated user, without needing some other details to allow the controller action to be executed.

But in all those cases in which it is enough to limit access based on the condition that the user is logged in or not, it is the best approach. In the REST API with limited access (where only the authenticated users are able to make calls), ACF is probably the best solution.