Disallow ROLE_USER to login to backend

backend/controllers/SiteController.php

@@ -6,6 +6,7 @@
 use yii\filters\VerbFilter;
 use yii\filters\AccessControl;
 use common\models\LoginForm;
+use common\models\User;
 
 /**
  * Site controller
@@ -29,6 +30,10 @@ public function behaviors()
                         'actions' => ['logout', 'index'],
                         'allow' => true,
                         'roles' => ['@'],
+                        'matchCallback' => function ($rule, $action)
+                        {
+                            return Yii::$app->user->identity['role'] == User::ROLE_ADMIN;
+                        }
                     ],
                 ],
             ],
@@ -65,7 +70,7 @@ public function actionLogin()
         }
 
         $model = new LoginForm();
-        if ($model->load(Yii::$app->request->post()) && $model->login()) {
+        if ($model->load(Yii::$app->request->post()) && $model->backendLogin()) {
             return $this->goBack();
         } else {
             return $this->render('login', [

common/models/LoginForm.php

@@ -62,6 +62,28 @@ public function login()
         }
     }
 
+    /**
+     * Logs in a backend user using the provided email and password.
+     * 
+     * @return boolean whether the user is logged in successfully
+     */
+    public function backendLogin()
+    {
+        if ($this->validate()) {
+            $user = $this->getUser();
+            if ($user->role == User::ROLE_USER)
+            {
+                $this->_user = false;
+                $this->addError('email', 'Can not login as ' . User::ROLE_USER);
+                return false;
+            }
+
+            return Yii::$app->user->login($user, $this->rememberMe ? 3600 * 24 * 30 : 0);
+        } else {
+            return false;
+        }
+    }
+
     /**
      * Finds user by [[email]]
      *