Merge pull request #2599 from yiisoft/feature-restapi

apps/advanced/common/models/User.php

 <?php
 namespace common\models;
 
+use yii\base\NotSupportedException;
 use yii\db\ActiveRecord;
 use yii\helpers\Security;
 use yii\web\IdentityInterface;
@@ -72,6 +73,14 @@ class User extends ActiveRecord implements IdentityInterface
 	}
 
 	/**
+	 * @inheritdoc
+	 */
+	public static function findIdentityByAccessToken($token)
+	{
+		throw new NotSupportedException('"findIdentityByAccessToken" is not implemented.');
+	}
+
+	/**
 	 * Finds user by username
 	 *
 	 * @param string $username

apps/basic/models/User.php

@@ -8,6 +8,7 @@ class User extends \yii\base\Object implements \yii\web\IdentityInterface
 	public $username;
 	public $password;
 	public $authKey;
+	public $accessToken;
 
 	private static $users = [
 		'100' => [
@@ -15,12 +16,14 @@ class User extends \yii\base\Object implements \yii\web\IdentityInterface
 			'username' => 'admin',
 			'password' => 'admin',
 			'authKey' => 'test100key',
+			'accessToken' => '100-token',
 		],
 		'101' => [
 			'id' => '101',
 			'username' => 'demo',
 			'password' => 'demo',
 			'authKey' => 'test101key',
+			'accessToken' => '101-token',
 		],
 	];
 
@@ -33,6 +36,19 @@ class User extends \yii\base\Object implements \yii\web\IdentityInterface
 	}
 
 	/**
+	 * @inheritdoc
+	 */
+	public static function findIdentityByAccessToken($token)
+	{
+		foreach (self::$users as $user) {
+			if ($user['accessToken'] === $token) {
+				return new static($user);
+			}
+		}
+		return null;
+	}
+
+	/**
 	 * Finds user by username
 	 *
 	 * @param string $username

docs/guide/authentication.md

@@ -5,7 +5,7 @@ Authentication is the act of verifying who a user is, and is the basis of the lo
 
 In Yii, this entire process is performed semi-automatically, leaving the developer to merely implement [[yii\web\IdentityInterface]], the most important class in the authentication system. Typically, implementation of `IdentityInterface` is accomplished using the `User` model.
 
-You can find a full featured example of authentication in the
+You can find a fully featured example of authentication in the
 [advanced application template](installation.md). Below, only the interface methods are listed:
 
 ```php
@@ -25,6 +25,17 @@ class User extends ActiveRecord implements IdentityInterface
 	}
 
 	/**
+	 * Finds an identity by the given token.
+	 *
+	 * @param string $token the token to be looked for
+	 * @return IdentityInterface|null the identity object that matches the given token.
+	 */
+	public static function findIdentityByAccessToken($token)
+	{
+		return static::find(['access_token' => $token]);
+	}
+
+	/**
 	 * @return int|string current user ID
 	 */
 	public function getId()

framework/base/ArrayableTrait.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\base;
+
+use Yii;
+use yii\helpers\ArrayHelper;
+use yii\web\Link;
+use yii\web\Linkable;
+
+/**
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+trait ArrayableTrait
+{
+	/**
+	 * Returns the list of fields that should be returned by default by [[toArray()]] when no specific fields are specified.
+	 *
+	 * A field is a named element in the returned array by [[toArray()]].
+	 *
+	 * This method should return an array of field names or field definitions.
+	 * If the former, the field name will be treated as an object property name whose value will be used
+	 * as the field value. If the latter, the array key should be the field name while the array value should be
+	 * the corresponding field definition which can be either an object property name or a PHP callable
+	 * returning the corresponding field value. The signature of the callable should be:
+	 *
+	 * ```php
+	 * function ($field, $model) {
+	 *     // return field value
+	 * }
+	 * ```
+	 *
+	 * For example, the following code declares four fields:
+	 *
+	 * - `email`: the field name is the same as the property name `email`;
+	 * - `firstName` and `lastName`: the field names are `firstName` and `lastName`, and their
+	 *   values are obtained from the `first_name` and `last_name` properties;
+	 * - `fullName`: the field name is `fullName`. Its value is obtained by concatenating `first_name`
+	 *   and `last_name`.
+	 *
+	 * ```php
+	 * return [
+	 *     'email',
+	 *     'firstName' => 'first_name',
+	 *     'lastName' => 'last_name',
+	 *     'fullName' => function () {
+	 *         return $this->first_name . ' ' . $this->last_name;
+	 *     },
+	 * ];
+	 * ```
+	 *
+	 * In this method, you may also want to return different lists of fields based on some context
+	 * information. For example, depending on the privilege of the current application user,
+	 * you may return different sets of visible fields or filter out some fields.
+	 *
+	 * The default implementation of this method returns the public object member variables.
+	 *
+	 * @return array the list of field names or field definitions.
+	 * @see toArray()
+	 */
+	public function fields()
+	{
+		$fields = array_keys(Yii::getObjectVars($this));
+		return array_combine($fields, $fields);
+	}
+
+	/**
+	 * Returns the list of fields that can be expanded further and returned by [[toArray()]].
+	 *
+	 * This method is similar to [[fields()]] except that the list of fields returned
+	 * by this method are not returned by default by [[toArray()]]. Only when field names
+	 * to be expanded are explicitly specified when calling [[toArray()]], will their values
+	 * be exported.
+	 *
+	 * The default implementation returns an empty array.
+	 *
+	 * You may override this method to return a list of expandable fields based on some context information
+	 * (e.g. the current application user).
+	 *
+	 * @return array the list of expandable field names or field definitions. Please refer
+	 * to [[fields()]] on the format of the return value.
+	 * @see toArray()
+	 * @see fields()
+	 */
+	public function extraFields()
+	{
+		return [];
+	}
+
+	/**
+	 * Converts the model into an array.
+	 *
+	 * This method will first identify which fields to be included in the resulting array by calling [[resolveFields()]].
+	 * It will then turn the model into an array with these fields. If `$recursive` is true,
+	 * any embedded objects will also be converted into arrays.
+	 *
+	 * If the model implements the [[Linkable]] interface, the resulting array will also have a `_link` element
+	 * which refers to a list of links as specified by the interface.
+	 *
+	 * @param array $fields the fields being requested. If empty, all fields as specified by [[fields()]] will be returned.
+	 * @param array $expand the additional fields being requested for exporting. Only fields declared in [[extraFields()]]
+	 * will be considered.
+	 * @param boolean $recursive whether to recursively return array representation of embedded objects.
+	 * @return array the array representation of the object
+	 */
+	public function toArray(array $fields = [], array $expand = [], $recursive = true)
+	{
+		$data = [];
+		foreach ($this->resolveFields($fields, $expand) as $field => $definition) {
+			$data[$field] = is_string($definition) ? $this->$definition : call_user_func($definition, $field, $this);
+		}
+
+		if ($this instanceof Linkable) {
+			$data['_links'] = Link::serialize($this->getLinks());
+		}
+
+		return $recursive ? ArrayHelper::toArray($data) : $data;
+	}
+
+	/**
+	 * Determines which fields can be returned by [[toArray()]].
+	 * This method will check the requested fields against those declared in [[fields()]] and [[extraFields()]]
+	 * to determine which fields can be returned.
+	 * @param array $fields the fields being requested for exporting
+	 * @param array $expand the additional fields being requested for exporting
+	 * @return array the list of fields to be exported. The array keys are the field names, and the array values
+	 * are the corresponding object property names or PHP callables returning the field values.
+	 */
+	protected function resolveFields(array $fields, array $expand)
+	{
+		$result = [];
+
+		foreach ($this->fields() as $field => $definition) {
+			if (is_integer($field)) {
+				$field = $definition;
+			}
+			if (empty($fields) || in_array($field, $fields, true)) {
+				$result[$field] = $definition;
+			}
+		}
+
+		if (empty($expand)) {
+			return $result;
+		}
+
+		foreach ($this->extraFields() as $field => $definition) {
+			if (is_integer($field)) {
+				$field = $definition;
+			}
+			if (in_array($field, $expand, true)) {
+				$result[$field] = $definition;
+			}
+		}
+
+		return $result;
+	}
+}

framework/base/ErrorHandler.php

@@ -93,10 +93,9 @@ class ErrorHandler extends Component
 			return;
 		}
 
-		$useErrorView = !YII_DEBUG || $exception instanceof UserException;
-
 		$response = Yii::$app->getResponse();
-		$response->getHeaders()->removeAll();
+
+		$useErrorView = $response->format === \yii\web\Response::FORMAT_HTML && (!YII_DEBUG || $exception instanceof UserException);
 
 		if ($useErrorView && $this->errorAction !== null) {
 			$result = Yii::$app->runAction($this->errorAction);
@@ -121,7 +120,7 @@ class ErrorHandler extends Component
 				]);
 			}
 		} elseif ($exception instanceof Arrayable) {
-			$response->data = $exception;
+			$response->data = $exception->toArray();
 		} else {
 			$response->data = [
 				'type' => get_class($exception),

framework/base/Model.php

@@ -13,9 +13,12 @@ use ArrayObject;
 use ArrayIterator;
 use ReflectionClass;
 use IteratorAggregate;
+use yii\helpers\ArrayHelper;
 use yii\helpers\Inflector;
 use yii\validators\RequiredValidator;
 use yii\validators\Validator;
+use yii\web\Link;
+use yii\web\Linkable;
 
 /**
  * Model is the base class for data models.
@@ -54,11 +57,12 @@ use yii\validators\Validator;
  */
 class Model extends Component implements IteratorAggregate, ArrayAccess, Arrayable
 {
+	use ArrayableTrait;
+
 	/**
 	 * The name of the default scenario.
 	 */
 	const SCENARIO_DEFAULT = 'default';
-
 	/**
 	 * @event ModelEvent an event raised at the beginning of [[validate()]]. You may set
 	 * [[ModelEvent::isValid]] to be false to stop the validation.
@@ -516,7 +520,8 @@ class Model extends Component implements IteratorAggregate, ArrayAccess, Arrayab
 
 	/**
 	 * Returns the first error of every attribute in the model.
-	 * @return array the first errors. An empty array will be returned if there is no error.
+	 * @return array the first errors. The array keys are the attribute names, and the array
+	 * values are the corresponding error messages. An empty array will be returned if there is no error.
 	 * @see getErrors()
 	 * @see getFirstError()
 	 */
@@ -526,13 +531,13 @@ class Model extends Component implements IteratorAggregate, ArrayAccess, Arrayab
 			return [];
 		} else {
 			$errors = [];
-			foreach ($this->_errors as $attributeErrors) {
-				if (isset($attributeErrors[0])) {
-					$errors[] = $attributeErrors[0];
+			foreach ($this->_errors as $name => $es) {
+				if (!empty($es)) {
+					$errors[$name] = reset($es);
 				}
 			}
+			return $errors;
 		}
-		return $errors;
 	}
 
 	/**
@@ -789,13 +794,92 @@ class Model extends Component implements IteratorAggregate, ArrayAccess, Arrayab
 	}
 
 	/**
-	 * Converts the object into an array.
-	 * The default implementation will return [[attributes]].
-	 * @return array the array representation of the object
+	 * Returns the list of fields that should be returned by default by [[toArray()]] when no specific fields are specified.
+	 *
+	 * A field is a named element in the returned array by [[toArray()]].
+	 *
+	 * This method should return an array of field names or field definitions.
+	 * If the former, the field name will be treated as an object property name whose value will be used
+	 * as the field value. If the latter, the array key should be the field name while the array value should be
+	 * the corresponding field definition which can be either an object property name or a PHP callable
+	 * returning the corresponding field value. The signature of the callable should be:
+	 *
+	 * ```php
+	 * function ($field, $model) {
+	 *     // return field value
+	 * }
+	 * ```
+	 *
+	 * For example, the following code declares four fields:
+	 *
+	 * - `email`: the field name is the same as the property name `email`;
+	 * - `firstName` and `lastName`: the field names are `firstName` and `lastName`, and their
+	 *   values are obtained from the `first_name` and `last_name` properties;
+	 * - `fullName`: the field name is `fullName`. Its value is obtained by concatenating `first_name`
+	 *   and `last_name`.
+	 *
+	 * ```php
+	 * return [
+	 *     'email',
+	 *     'firstName' => 'first_name',
+	 *     'lastName' => 'last_name',
+	 *     'fullName' => function () {
+	 *         return $this->first_name . ' ' . $this->last_name;
+	 *     },
+	 * ];
+	 * ```
+	 *
+	 * In this method, you may also want to return different lists of fields based on some context
+	 * information. For example, depending on [[scenario]] or the privilege of the current application user,
+	 * you may return different sets of visible fields or filter out some fields.
+	 *
+	 * The default implementation of this method returns [[attributes()]] indexed by the same attribute names.
+	 *
+	 * @return array the list of field names or field definitions.
+	 * @see toArray()
+	 */
+	public function fields()
+	{
+		$fields = $this->attributes();
+		return array_combine($fields, $fields);
+	}
+
+	/**
+	 * Determines which fields can be returned by [[toArray()]].
+	 * This method will check the requested fields against those declared in [[fields()]] and [[extraFields()]]
+	 * to determine which fields can be returned.
+	 * @param array $fields the fields being requested for exporting
+	 * @param array $expand the additional fields being requested for exporting
+	 * @return array the list of fields to be exported. The array keys are the field names, and the array values
+	 * are the corresponding object property names or PHP callables returning the field values.
 	 */
-	public function toArray()
+	protected function resolveFields(array $fields, array $expand)
 	{
-		return $this->getAttributes();
+		$result = [];
+
+		foreach ($this->fields() as $field => $definition) {
+			if (is_integer($field)) {
+				$field = $definition;
+			}
+			if (empty($fields) || in_array($field, $fields, true)) {
+				$result[$field] = $definition;
+			}
+		}
+
+		if (empty($expand)) {
+			return $result;
+		}
+
+		foreach ($this->extraFields() as $field => $definition) {
+			if (is_integer($field)) {
+				$field = $definition;
+			}
+			if (in_array($field, $expand, true)) {
+				$result[$field] = $definition;
+			}
+		}
+
+		return $result;
 	}
 
 	/**

framework/base/Module.php

@@ -359,6 +359,9 @@ class Module extends Component
 				return $this->_modules[$id];
 			} elseif ($load) {
 				Yii::trace("Loading module: $id", __METHOD__);
+				if (is_array($this->_modules[$id]) && !isset($this->_modules[$id]['class'])) {
+					$this->_modules[$id]['class'] = 'yii\base\Module';
+				}
 				return $this->_modules[$id] = Yii::createObject($this->_modules[$id], $id, $this);
 			}
 		}

framework/data/Pagination.php

@@ -8,7 +8,10 @@
 namespace yii\data;
 
 use Yii;
+use yii\base\Arrayable;
 use yii\base\Object;
+use yii\web\Link;
+use yii\web\Linkable;
 use yii\web\Request;
 
 /**
@@ -65,9 +68,8 @@ use yii\web\Request;
  * @author Qiang Xue <qiang.xue@gmail.com>
  * @since 2.0
  */
-class Pagination extends Object
+class Pagination extends Object implements Linkable, Arrayable
 {
-	const LINK_SELF = 'self';
 	const LINK_NEXT = 'next';
 	const LINK_PREV = 'prev';
 	const LINK_FIRST = 'first';
@@ -301,7 +303,7 @@ class Pagination extends Object
 		$currentPage = $this->getPage();
 		$pageCount = $this->getPageCount();
 		$links = [
-			self::LINK_SELF => $this->createUrl($currentPage, $absolute),
+			Link::REL_SELF => $this->createUrl($currentPage, $absolute),
 		];
 		if ($currentPage > 0) {
 			$links[self::LINK_FIRST] = $this->createUrl(0, $absolute);
@@ -315,6 +317,19 @@ class Pagination extends Object
 	}
 
 	/**
+	 * @inheritdoc
+	 */
+	public function toArray()
+	{
+		return [
+			'totalCount' => $this->totalCount,
+			'pageCount' => $this->getPageCount(),
+			'currentPage' => $this->getPage(),
+			'perPage' => $this->getPageSize(),
+		];
+	}
+
+	/**
 	 * Returns the value of the specified query parameter.
 	 * This method returns the named parameter value from [[params]]. Null is returned if the value does not exist.
 	 * @param string $name the parameter name

framework/db/BaseActiveRecord.php

@@ -1347,4 +1347,26 @@ abstract class BaseActiveRecord extends Model implements ActiveRecordInterface
 
 		return $this->generateAttributeLabel($attribute);
 	}
+
+	/**
+	 * @inheritdoc
+	 *
+	 * The default implementation returns the names of the columns whose values have been populated into this record.
+	 */
+	public function fields()
+	{
+		$fields = array_keys($this->_attributes);
+		return array_combine($fields, $fields);
+	}
+
+	/**
+	 * @inheritdoc
+	 *
+	 * The default implementation returns the names of the relations that have been populated into this record.
+	 */
+	public function extraFields()
+	{
+		$fields = array_keys($this->getRelatedRecords());
+		return array_combine($fields, $fields);
+	}
 }

framework/helpers/BaseArrayHelper.php

@@ -58,35 +58,42 @@ class BaseArrayHelper
 	 */
 	public static function toArray($object, $properties = [], $recursive = true)
 	{
-		if (!empty($properties) && is_object($object)) {
-			$className = get_class($object);
-			if (!empty($properties[$className])) {
-				$result = [];
-				foreach ($properties[$className] as $key => $name) {
-					if (is_int($key)) {
-						$result[$name] = $object->$name;
-					} else {
-						$result[$key] = static::getValue($object, $name);
+		if (is_array($object)) {
+			if ($recursive) {
+				foreach ($object as $key => $value) {
+					if (is_array($value) || is_object($value)) {
+						$object[$key] = static::toArray($value, true);
 					}
 				}
-				return $result;
 			}
-		}
-		if ($object instanceof Arrayable) {
-			$object = $object->toArray();
-			if (!$recursive) {
-				return $object;
+			return $object;
+		} elseif (is_object($object)) {
+			if (!empty($properties)) {
+				$className = get_class($object);
+				if (!empty($properties[$className])) {
+					$result = [];
+					foreach ($properties[$className] as $key => $name) {
+						if (is_int($key)) {
+							$result[$name] = $object->$name;
+						} else {
+							$result[$key] = static::getValue($object, $name);
+						}
+					}
+					return $recursive ? static::toArray($result) : $result;
+				}
 			}
-		}
-		$result = [];
-		foreach ($object as $key => $value) {
-			if ($recursive && (is_array($value) || is_object($value))) {
-				$result[$key] = static::toArray($value, $properties, true);
+			if ($object instanceof Arrayable) {
+				$result = $object->toArray();
 			} else {
-				$result[$key] = $value;
+				$result = [];
+				foreach ($object as $key => $value) {
+					$result[$key] = $value;
+				}
 			}
+			return $recursive ? static::toArray($result) : $result;
+		} else {
+			return [$object];
 		}
-		return $result;
 	}
 
 	/**

framework/rest/Action.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\InvalidConfigException;
+use yii\db\ActiveRecordInterface;
+use yii\web\NotFoundHttpException;
+
+/**
+ * Action is the base class for action classes that implement RESTful API.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class Action extends \yii\base\Action
+{
+	/**
+	 * @var string class name of the model which will be handled by this action.
+	 * The model class must implement [[ActiveRecordInterface]].
+	 * This property must be set.
+	 */
+	public $modelClass;
+	/**
+	 * @var callable a PHP callable that will be called to return the model corresponding
+	 * to the specified primary key value. If not set, [[findModel()]] will be used instead.
+	 * The signature of the callable should be:
+	 *
+	 * ```php
+	 * function ($id, $action) {
+	 *     // $id is the primary key value. If composite primary key, the key values
+	 *     // will be separated by comma.
+	 *     // $action is the action object currently running
+	 * }
+	 * ```
+	 *
+	 * The callable should return the model found, or throw an exception if not found.
+	 */
+	public $findModel;
+	/**
+	 * @var callable a PHP callable that will be called when running an action to determine
+	 * if the current user has the permission to execute the action. If not set, the access
+	 * check will not be performed. The signature of the callable should be as follows,
+	 *
+	 * ```php
+	 * function ($action, $model = null) {
+	 *     // $model is the requested model instance.
+	 *     // If null, it means no specific model (e.g. IndexAction)
+	 * }
+	 * ```
+	 */
+	public $checkAccess;
+
+
+	/**
+	 * @inheritdoc
+	 */
+	public function init()
+	{
+		if ($this->modelClass === null) {
+			throw new InvalidConfigException(get_class($this) . '::$modelClass must be set.');
+		}
+	}
+
+	/**
+	 * Returns the data model based on the primary key given.
+	 * If the data model is not found, a 404 HTTP exception will be raised.
+	 * @param string $id the ID of the model to be loaded. If the model has a composite primary key,
+	 * the ID must be a string of the primary key values separated by commas.
+	 * The order of the primary key values should follow that returned by the `primaryKey()` method
+	 * of the model.
+	 * @return ActiveRecordInterface the model found
+	 * @throws NotFoundHttpException if the model cannot be found
+	 */
+	public function findModel($id)
+	{
+		if ($this->findModel !== null) {
+			return call_user_func($this->findModel, $id, $this);
+		}
+
+		/**
+		 * @var ActiveRecordInterface $modelClass
+		 */
+		$modelClass = $this->modelClass;
+		$keys = $modelClass::primaryKey();
+		if (count($keys) > 1) {
+			$values = explode(',', $id);
+			if (count($keys) === count($values)) {
+				$model = $modelClass::find(array_combine($keys, $values));
+			}
+		} elseif ($id !== null) {
+			$model = $modelClass::find($id);
+		}
+
+		if (isset($model)) {
+			return $model;
+		} else {
+			throw new NotFoundHttpException("Object not found: $id");
+		}
+	}
+}

framework/rest/ActiveController.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use yii\base\InvalidConfigException;
+use yii\base\Model;
+
+/**
+ * ActiveController implements a common set of actions for supporting RESTful access to ActiveRecord.
+ *
+ * The class of the ActiveRecord should be specified via [[modelClass]], which must implement [[\yii\db\ActiveRecordInterface]].
+ * By default, the following actions are supported:
+ *
+ * - `index`: list of models
+ * - `view`: return the details of a model
+ * - `create`: create a new model
+ * - `update`: update an existing model
+ * - `delete`: delete an existing model
+ * - `options`: return the allowed HTTP methods
+ *
+ * You may disable some of these actions by overriding [[actions()]] and unsetting the corresponding actions.
+ *
+ * To add a new action, either override [[actions()]] by appending a new action class or write a new action method.
+ * Make sure you also override [[verbs()]] to properly declare what HTTP methods are allowed by the new action.
+ *
+ * You should usually override [[checkAccess()]] to check whether the current user has the privilege to perform
+ * the specified action against the specified model.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class ActiveController extends Controller
+{
+	/**
+	 * @var string the model class name. This property must be set.
+	 */
+	public $modelClass;
+	/**
+	 * @var string the scenario used for updating a model.
+	 * @see \yii\base\Model::scenarios()
+	 */
+	public $updateScenario = Model::SCENARIO_DEFAULT;
+	/**
+	 * @var string the scenario used for creating a model.
+	 * @see \yii\base\Model::scenarios()
+	 */
+	public $createScenario = Model::SCENARIO_DEFAULT;
+	/**
+	 * @var boolean whether to use a DB transaction when creating, updating or deleting a model.
+	 * This property is only useful for relational database.
+	 */
+	public $transactional = true;
+
+
+	/**
+	 * @inheritdoc
+	 */
+	public function init()
+	{
+		parent::init();
+		if ($this->modelClass === null) {
+			throw new InvalidConfigException('The "modelClass" property must be set.');
+		}
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function actions()
+	{
+		return [
+			'index' => [
+				'class' => 'yii\rest\IndexAction',
+				'modelClass' => $this->modelClass,
+				'checkAccess' => [$this, 'checkAccess'],
+			],
+			'view' => [
+				'class' => 'yii\rest\ViewAction',
+				'modelClass' => $this->modelClass,
+				'checkAccess' => [$this, 'checkAccess'],
+			],
+			'create' => [
+				'class' => 'yii\rest\CreateAction',
+				'modelClass' => $this->modelClass,
+				'checkAccess' => [$this, 'checkAccess'],
+				'scenario' => $this->createScenario,
+				'transactional' => $this->transactional,
+			],
+			'update' => [
+				'class' => 'yii\rest\UpdateAction',
+				'modelClass' => $this->modelClass,
+				'checkAccess' => [$this, 'checkAccess'],
+				'scenario' => $this->updateScenario,
+				'transactional' => $this->transactional,
+			],
+			'delete' => [
+				'class' => 'yii\rest\DeleteAction',
+				'modelClass' => $this->modelClass,
+				'checkAccess' => [$this, 'checkAccess'],
+				'transactional' => $this->transactional,
+			],
+			'options' => [
+				'class' => 'yii\rest\OptionsAction',
+			],
+		];
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	protected function verbs()
+	{
+		return [
+			'index' => ['GET', 'HEAD'],
+			'view' => ['GET', 'HEAD'],
+			'create' => ['POST'],
+			'update' => ['PUT', 'PATCH'],
+			'delete' => ['DELETE'],
+		];
+	}
+}

framework/rest/AuthInterface.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use yii\web\User;
+use yii\web\Request;
+use yii\web\Response;
+use yii\web\IdentityInterface;
+use yii\web\UnauthorizedHttpException;
+
+/**
+ * AuthInterface is the interface required by classes that support user authentication.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+interface AuthInterface
+{
+	/**
+	 * Authenticates the current user.
+	 *
+	 * @param User $user
+	 * @param Request $request
+	 * @param Response $response
+	 * @return IdentityInterface the authenticated user identity. If authentication information is not provided, null will be returned.
+	 * @throws UnauthorizedHttpException if authentication information is provided but is invalid.
+	 */
+	public function authenticate($user, $request, $response);
+	/**
+	 * Handles authentication failure.
+	 * The implementation should normally throw UnauthorizedHttpException to indicate authentication failure.
+	 * @param Response $response
+	 * @throws UnauthorizedHttpException
+	 */
+	public function handleFailure($response);
+}

framework/rest/Controller.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\InvalidConfigException;
+use yii\web\Response;
+use yii\web\UnauthorizedHttpException;
+use yii\web\UnsupportedMediaTypeHttpException;
+use yii\web\TooManyRequestsHttpException;
+use yii\web\VerbFilter;
+use yii\web\ForbiddenHttpException;
+
+/**
+ * Controller is the base class for RESTful API controller classes.
+ *
+ * Controller implements the following steps in a RESTful API request handling cycle:
+ *
+ * 1. Resolving response format and API version number (see [[supportedFormats]], [[supportedVersions]] and [[version]]);
+ * 2. Validating request method (see [[verbs()]]).
+ * 3. Authenticating user (see [[authenticate()]]);
+ * 4. Formatting response data (see [[serializeData()]]).
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class Controller extends \yii\web\Controller
+{
+	/**
+	 * @var string the name of the header parameter representing the API version number.
+	 */
+	public $versionHeaderParam = 'version';
+	/**
+	 * @var string|array the configuration for creating the serializer that formats the response data.
+	 */
+	public $serializer = 'yii\rest\Serializer';
+	/**
+	 * @inheritdoc
+	 */
+	public $enableCsrfValidation = false;
+	/**
+	 * @var array the supported authentication methods. This property should take a list of supported
+	 * authentication methods, each represented by an authentication class or configuration.
+	 * If this is not set or empty, it means authentication is disabled.
+	 */
+	public $authMethods;
+	/**
+	 * @var string|array the rate limiter class or configuration. If this is not set or empty,
+	 * the rate limiting will be disabled. Note that if the user is not authenticated, the rate limiting
+	 * will also NOT be performed.
+	 * @see checkRateLimit()
+	 * @see authMethods
+	 */
+	public $rateLimiter = 'yii\rest\RateLimiter';
+	/**
+	 * @var string the chosen API version number, or null if [[supportedVersions]] is empty.
+	 * @see supportedVersions
+	 */
+	public $version;
+	/**
+	 * @var array list of supported API version numbers. If the current request does not specify a version
+	 * number, the first element will be used as the [[version|chosen version number]]. For this reason, you should
+	 * put the latest version number at the first. If this property is empty, [[version]] will not be set.
+	 */
+	public $supportedVersions = [];
+	/**
+	 * @var array list of supported response formats. The array keys are the requested content MIME types,
+	 * and the array values are the corresponding response formats. The first element will be used
+	 * as the response format if the current request does not specify a content type.
+	 */
+	public $supportedFormats = [
+		'application/json' => Response::FORMAT_JSON,
+		'application/xml' => Response::FORMAT_XML,
+	];
+
+	/**
+	 * @inheritdoc
+	 */
+	public function behaviors()
+	{
+		return [
+			'verbFilter' => [
+				'class' => VerbFilter::className(),
+				'actions' => $this->verbs(),
+			],
+		];
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function init()
+	{
+		parent::init();
+		$this->resolveFormatAndVersion();
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function beforeAction($action)
+	{
+		if (parent::beforeAction($action)) {
+			$this->authenticate();
+			$this->checkRateLimit($action);
+			return true;
+		} else {
+			return false;
+		}
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function afterAction($action, $result)
+	{
+		$result = parent::afterAction($action, $result);
+		return $this->serializeData($result);
+	}
+
+	/**
+	 * Resolves the response format and the API version number.
+	 * @throws UnsupportedMediaTypeHttpException
+	 */
+	protected function resolveFormatAndVersion()
+	{
+		$this->version = empty($this->supportedVersions) ? null : reset($this->supportedVersions);
+		Yii::$app->getResponse()->format = reset($this->supportedFormats);
+		$types = Yii::$app->getRequest()->getAcceptableContentTypes();
+		if (empty($types)) {
+			$types['*/*'] = [];
+		}
+
+		foreach ($types as $type => $params) {
+			if (isset($this->supportedFormats[$type])) {
+				Yii::$app->getResponse()->format = $this->supportedFormats[$type];
+				if (isset($params[$this->versionHeaderParam])) {
+					if (in_array($params[$this->versionHeaderParam], $this->supportedVersions, true)) {
+						$this->version = $params[$this->versionHeaderParam];
+					} else {
+						throw new UnsupportedMediaTypeHttpException('You are requesting an invalid version number.');
+					}
+				}
+				return;
+			}
+		}
+
+		if (!isset($types['*/*'])) {
+			throw new UnsupportedMediaTypeHttpException('None of your requested content types is supported.');
+		}
+	}
+
+	/**
+	 * Declares the allowed HTTP verbs.
+	 * Please refer to [[VerbFilter::actions]] on how to declare the allowed verbs.
+	 * @return array the allowed HTTP verbs.
+	 */
+	protected function verbs()
+	{
+		return [];
+	}
+
+	/**
+	 * Authenticates the user.
+	 * This method implements the user authentication based on an access token sent through the `Authorization` HTTP header.
+	 * @throws UnauthorizedHttpException if the user is not authenticated successfully
+	 */
+	protected function authenticate()
+	{
+		if (empty($this->authMethods)) {
+			return;
+		}
+
+		$user = Yii::$app->getUser();
+		$request = Yii::$app->getRequest();
+		$response = Yii::$app->getResponse();
+		foreach ($this->authMethods as $i => $auth) {
+			$this->authMethods[$i] = $auth = Yii::createObject($auth);
+			if (!$auth instanceof AuthInterface) {
+				throw new InvalidConfigException(get_class($auth) . ' must implement yii\rest\AuthInterface');
+			} elseif ($auth->authenticate($user, $request, $response) !== null) {
+				return;
+			}
+		}
+
+		/** @var AuthInterface $auth */
+		$auth = reset($this->authMethods);
+		$auth->handleFailure($response);
+	}
+
+	/**
+	 * Ensures the rate limit is not exceeded.
+	 *
+	 * This method will use [[rateLimiter]] to check rate limit. In order to perform rate limiting check,
+	 * the user must be authenticated and the user identity object (`Yii::$app->user->identity`) must
+	 * implement [[RateLimitInterface]].
+	 *
+	 * @param \yii\base\Action $action the action to be executed
+	 * @throws TooManyRequestsHttpException if the rate limit is exceeded.
+	 */
+	protected function checkRateLimit($action)
+	{
+		if (empty($this->rateLimiter)) {
+			return;
+		}
+
+		$identity = Yii::$app->getUser()->getIdentity(false);
+		if ($identity instanceof RateLimitInterface) {
+			/** @var RateLimiter $rateLimiter */
+			$rateLimiter = Yii::createObject($this->rateLimiter);
+			$rateLimiter->check($identity, Yii::$app->getRequest(), Yii::$app->getResponse(), $action);
+		}
+	}
+
+	/**
+	 * Serializes the specified data.
+	 * The default implementation will create a serializer based on the configuration given by [[serializer]].
+	 * It then uses the serializer to serialize the given data.
+	 * @param mixed $data the data to be serialized
+	 * @return mixed the serialized data.
+	 */
+	protected function serializeData($data)
+	{
+		return Yii::createObject($this->serializer)->serialize($data);
+	}
+
+	/**
+	 * Checks the privilege of the current user.
+	 *
+	 * This method should be overridden to check whether the current user has the privilege
+	 * to run the specified action against the specified data model.
+	 * If the user does not have access, a [[ForbiddenHttpException]] should be thrown.
+	 *
+	 * @param string $action the ID of the action to be executed
+	 * @param object $model the model to be accessed. If null, it means no specific model is being accessed.
+	 * @param array $params additional parameters
+	 * @throws ForbiddenHttpException if the user does not have access
+	 */
+	public function checkAccess($action, $model = null, $params = [])
+	{
+	}
+}

framework/rest/CreateAction.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\Model;
+use yii\db\ActiveRecord;
+
+/**
+ * CreateAction implements the API endpoint for creating a new model from the given data.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class CreateAction extends Action
+{
+	/**
+	 * @var string the scenario to be assigned to the new model before it is validated and saved.
+	 */
+	public $scenario = Model::SCENARIO_DEFAULT;
+	/**
+	 * @var boolean whether to start a DB transaction when saving the model.
+	 */
+	public $transactional = true;
+	/**
+	 * @var string the name of the view action. This property is need to create the URL when the mode is successfully created.
+	 */
+	public $viewAction = 'view';
+
+
+	/**
+	 * Creates a new model.
+	 * @return \yii\db\ActiveRecordInterface the model newly created
+	 * @throws \Exception if there is any error when creating the model
+	 */
+	public function run()
+	{
+		if ($this->checkAccess) {
+			call_user_func($this->checkAccess, $this->id);
+		}
+
+		/**
+		 * @var \yii\db\ActiveRecord $model
+		 */
+		$model = new $this->modelClass([
+			'scenario' => $this->scenario,
+		]);
+
+		$model->load(Yii::$app->getRequest()->getBodyParams(), '');
+
+		if ($this->transactional && $model instanceof ActiveRecord) {
+			if ($model->validate()) {
+				$transaction = $model->getDb()->beginTransaction();
+				try {
+					$model->insert(false);
+					$transaction->commit();
+				} catch (\Exception $e) {
+					$transaction->rollback();
+					throw $e;
+				}
+			}
+		} else {
+			$model->save();
+		}
+
+		if (!$model->hasErrors()) {
+			$response = Yii::$app->getResponse();
+			$response->setStatusCode(201);
+			$id = implode(',', array_values($model->getPrimaryKey(true)));
+			$response->getHeaders()->set('Location', $this->controller->createAbsoluteUrl([$this->viewAction, 'id' => $id]));
+		}
+
+		return $model;
+	}
+}

framework/rest/DeleteAction.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\db\ActiveRecord;
+
+/**
+ * DeleteAction implements the API endpoint for deleting a model.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class DeleteAction extends Action
+{
+	/**
+	 * @var boolean whether to start a DB transaction when deleting the model.
+	 */
+	public $transactional = true;
+
+
+	/**
+	 * Deletes a model.
+	 */
+	public function run($id)
+	{
+		$model = $this->findModel($id);
+
+		if ($this->checkAccess) {
+			call_user_func($this->checkAccess, $this->id, $model);
+		}
+
+		if ($this->transactional && $model instanceof ActiveRecord) {
+			$transaction = $model->getDb()->beginTransaction();
+			try {
+				$model->delete();
+				$transaction->commit();
+			} catch (\Exception $e) {
+				$transaction->rollback();
+				throw $e;
+			}
+		} else {
+			$model->delete();
+		}
+
+		Yii::$app->getResponse()->setStatusCode(204);
+	}
+}

framework/rest/HttpBasicAuth.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\Component;
+use yii\web\UnauthorizedHttpException;
+
+/**
+ * HttpBasicAuth implements the HTTP Basic authentication method.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class HttpBasicAuth extends Component implements AuthInterface
+{
+	/**
+	 * @var string the HTTP authentication realm
+	 */
+	public $realm = 'api';
+
+	/**
+	 * @inheritdoc
+	 */
+	public function authenticate($user, $request, $response)
+	{
+		if (($accessToken = $request->getAuthUser()) !== null) {
+			$identity = $user->loginByAccessToken($accessToken);
+			if ($identity !== null) {
+				return $identity;
+			}
+			$this->handleFailure($response);
+		}
+		return null;
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function handleFailure($response)
+	{
+		$response->getHeaders()->set('WWW-Authenticate', "Basic realm=\"{$this->realm}\"");
+		throw new UnauthorizedHttpException('You are requesting with an invalid access token.');
+	}
+}

framework/rest/HttpBearerAuth.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\Component;
+use yii\web\UnauthorizedHttpException;
+
+/**
+ * HttpBearerAuth implements the authentication method based on HTTP Bearer token.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class HttpBearerAuth extends Component implements AuthInterface
+{
+	/**
+	 * @var string the HTTP authentication realm
+	 */
+	public $realm = 'api';
+
+	/**
+	 * @inheritdoc
+	 */
+	public function authenticate($user, $request, $response)
+	{
+		$authHeader = $request->getHeaders()->get('Authorization');
+		if ($authHeader !== null && preg_match("/^Bearer\\s+(.*?)$/", $authHeader, $matches)) {
+			$identity = $user->loginByAccessToken($matches[1]);
+			if ($identity !== null) {
+				return $identity;
+			}
+
+			$this->handleFailure($response);
+		}
+		return null;
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function handleFailure($response)
+	{
+		$response->getHeaders()->set('WWW-Authenticate', "Basic realm=\"{$this->realm}\"");
+		throw new UnauthorizedHttpException('You are requesting with an invalid access token.');
+	}
+}

framework/rest/IndexAction.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\data\ActiveDataProvider;
+
+/**
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class IndexAction extends Action
+{
+	/**
+	 * @var callable a PHP callable that will be called to prepare a data provider that
+	 * should return a collection of the models. If not set, [[prepareDataProvider()]] will be used instead.
+	 * The signature of the callable should be:
+	 *
+	 * ```php
+	 * function ($action) {
+	 *     // $action is the action object currently running
+	 * }
+	 * ```
+	 *
+	 * The callable should return an instance of [[ActiveDataProvider]].
+	 */
+	public $prepareDataProvider;
+
+
+	/**
+	 * @return ActiveDataProvider
+	 */
+	public function run()
+	{
+		if ($this->checkAccess) {
+			call_user_func($this->checkAccess, $this->id);
+		}
+
+		return $this->prepareDataProvider();
+	}
+
+	/**
+	 * Prepares the data provider that should return the requested collection of the models.
+	 * @return ActiveDataProvider
+	 */
+	protected function prepareDataProvider()
+	{
+		if ($this->prepareDataProvider !== null) {
+			return call_user_func($this->prepareDataProvider, $this);
+		}
+
+		/**
+		 * @var \yii\db\BaseActiveRecord $modelClass
+		 */
+		$modelClass = $this->modelClass;
+		return new ActiveDataProvider([
+			'query' => $modelClass::find(),
+		]);
+	}
+}

framework/rest/OptionsAction.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+
+/**
+ * OptionsAction responds to the OPTIONS request by sending back an `Allow` header.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class OptionsAction extends \yii\base\Action
+{
+	/**
+	 * @var array the HTTP verbs that are supported by the collection URL
+	 */
+	public $collectionOptions = ['GET', 'POST', 'HEAD', 'OPTIONS'];
+	/**
+	 * @var array the HTTP verbs that are supported by the resource URL
+	 */
+	public $resourceOptions = ['GET', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'];
+
+
+	/**
+	 * Responds to the OPTIONS request.
+	 * @param string $id
+	 */
+	public function run($id = null)
+	{
+		if (Yii::$app->getRequest()->getMethod() !== 'OPTIONS') {
+			Yii::$app->getResponse()->setStatusCode(405);
+		}
+		$options = $id === null ? $this->collectionOptions : $this->resourceOptions;
+		Yii::$app->getResponse()->getHeaders()->set('Allow', implode(', ', $options));
+	}
+}

framework/rest/QueryParamAuth.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\Component;
+use yii\web\UnauthorizedHttpException;
+
+/**
+ * QueryParamAuth implements the authentication method based on the access token passed through a query parameter.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class QueryParamAuth extends Component implements AuthInterface
+{
+	/**
+	 * @var string the parameter name for passing the access token
+	 */
+	public $tokenParam = 'access-token';
+
+	/**
+	 * @inheritdoc
+	 */
+	public function authenticate($user, $request, $response)
+	{
+		$accessToken = $request->get($this->tokenParam);
+		if (is_string($accessToken)) {
+			$identity = $user->loginByAccessToken($accessToken);
+			if ($identity !== null) {
+				return $identity;
+			}
+		}
+		if ($accessToken !== null) {
+			$this->handleFailure($response);
+		}
+		return null;
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function handleFailure($response)
+	{
+		throw new UnauthorizedHttpException('You are requesting with an invalid access token.');
+	}
+}

framework/rest/RateLimitInterface.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+/**
+ * RateLimitInterface is the interface that may be implemented by an identity object to enforce rate limiting.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+interface RateLimitInterface
+{
+	/**
+	 * Returns the maximum number of allowed requests and the window size.
+	 * @param array $params the additional parameters associated with the rate limit.
+	 * @return array an array of two elements. The first element is the maximum number of allowed requests,
+	 * and the second element is the size of the window in seconds.
+	 */
+	public function getRateLimit($params = []);
+	/**
+	 * Loads the number of allowed requests and the corresponding timestamp from a persistent storage.
+	 * @param array $params the additional parameters associated with the rate limit.
+	 * @return array an array of two elements. The first element is the number of allowed requests,
+	 * and the second element is the corresponding UNIX timestamp.
+	 */
+	public function loadAllowance($params = []);
+	/**
+	 * Saves the number of allowed requests and the corresponding timestamp to a persistent storage.
+	 * @param integer $allowance the number of allowed requests remaining.
+	 * @param integer $timestamp the current timestamp.
+	 * @param array $params the additional parameters associated with the rate limit.
+	 */
+	public function saveAllowance($allowance, $timestamp, $params = []);
+}

framework/rest/RateLimiter.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use yii\base\Component;
+use yii\base\Action;
+use yii\web\Request;
+use yii\web\Response;
+use yii\web\TooManyRequestsHttpException;
+
+/**
+ * RateLimiter implements a rate limiting algorithm based on the [leaky bucket algorithm](http://en.wikipedia.org/wiki/Leaky_bucket).
+ *
+ * You may call [[check()]] to enforce rate limiting.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class RateLimiter extends Component
+{
+	/**
+	 * @var boolean whether to include rate limit headers in the response
+	 */
+	public $enableRateLimitHeaders = true;
+	/**
+	 * @var string the message to be displayed when rate limit exceeds
+	 */
+	public $errorMessage = 'Rate limit exceeded.';
+
+	/**
+	 * Checks whether the rate limit exceeds.
+	 * @param RateLimitInterface $user the current user
+	 * @param Request $request
+	 * @param Response $response
+	 * @param Action $action the action to be executed
+	 * @throws TooManyRequestsHttpException if rate limit exceeds
+	 */
+	public function check($user, $request, $response, $action)
+	{
+		$current = time();
+		$params = [
+			'request' => $request,
+			'action' => $action,
+		];
+
+		list ($limit, $window) = $user->getRateLimit($params);
+		list ($allowance, $timestamp) = $user->loadAllowance($params);
+
+		$allowance += (int)(($current - $timestamp) * $limit / $window);
+		if ($allowance > $limit) {
+			$allowance = $limit;
+		}
+
+		if ($allowance < 1) {
+			$user->saveAllowance(0, $current, $params);
+			$this->addRateLimitHeaders($response, $limit, 0, $window);
+			throw new TooManyRequestsHttpException($this->errorMessage);
+		} else {
+			$user->saveAllowance($allowance - 1, $current, $params);
+			$this->addRateLimitHeaders($response, $limit, 0, (int)(($limit - $allowance) * $window / $limit));
+		}
+	}
+
+	/**
+	 * Adds the rate limit headers to the response
+	 * @param Response $response
+	 * @param integer $limit the maximum number of allowed requests during a period
+	 * @param integer $remaining the remaining number of allowed requests within the current period
+	 * @param integer $reset the number of seconds to wait before having maximum number of allowed requests again
+	 */
+	protected function addRateLimitHeaders($response, $limit, $remaining, $reset)
+	{
+		if ($this->enableRateLimitHeaders) {
+			$response->getHeaders()
+				->set('X-Rate-Limit-Limit', $limit)
+				->set('X-Rate-Limit-Remaining', $remaining)
+				->set('X-Rate-Limit-Reset', $reset);
+		}
+	}
+}

framework/rest/Serializer.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\Component;
+use yii\base\Model;
+use yii\data\DataProviderInterface;
+use yii\data\Pagination;
+use yii\helpers\ArrayHelper;
+use yii\web\Link;
+use yii\web\Request;
+use yii\web\Response;
+
+/**
+ * Serializer converts resource objects and collections into array representation.
+ *
+ * Serializer is mainly used by REST controllers to convert different objects into array representation
+ * so that they can be further turned into different formats, such as JSON, XML, by response formatters.
+ *
+ * The default implementation handles resources as [[Model]] objects and collections as objects
+ * implementing [[DataProviderInterface]]. You may override [[serialize()]] to handle more types.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class Serializer extends Component
+{
+	/**
+	 * @var string the name of the query parameter containing the information about which fields should be returned
+	 * for a [[Model]] object. If the parameter is not provided or empty, the default set of fields as defined
+	 * by [[Model::fields()]] will be returned.
+	 */
+	public $fieldsParam = 'fields';
+	/**
+	 * @var string the name of the query parameter containing the information about which fields should be returned
+	 * in addition to those listed in [[fieldsParam]] for a resource object.
+	 */
+	public $expandParam = 'expand';
+	/**
+	 * @var string the name of the HTTP header containing the information about total number of data items.
+	 * This is used when serving a resource collection with pagination.
+	 */
+	public $totalCountHeader = 'X-Pagination-Total-Count';
+	/**
+	 * @var string the name of the HTTP header containing the information about total number of pages of data.
+	 * This is used when serving a resource collection with pagination.
+	 */
+	public $pageCountHeader = 'X-Pagination-Page-Count';
+	/**
+	 * @var string the name of the HTTP header containing the information about the current page number (1-based).
+	 * This is used when serving a resource collection with pagination.
+	 */
+	public $currentPageHeader = 'X-Pagination-Current-Page';
+	/**
+	 * @var string the name of the HTTP header containing the information about the number of data items in each page.
+	 * This is used when serving a resource collection with pagination.
+	 */
+	public $perPageHeader = 'X-Pagination-Per-Page';
+	/**
+	 * @var string the name of the envelope (e.g. `items`) for returning the resource objects in a collection.
+	 * This is used when serving a resource collection. When this is set and pagination is enabled, the serializer
+	 * will return a collection in the following format:
+	 *
+	 * ```php
+	 * [
+	 *     'items' => [...],  // assuming collectionEnvelope is "items"
+	 *     '_links' => {  // pagination links as returned by Pagination::getLinks()
+	 *         'self' => '...',
+	 *         'next' => '...',
+	 *         'last' => '...',
+	 *     },
+	 *     '_meta' => {  // meta information as returned by Pagination::toArray()
+	 *         'totalCount' => 100,
+	 *         'pageCount' => 5,
+	 *         'currentPage' => 1,
+	 *         'perPage' => 20,
+	 *     },
+	 * ]
+	 * ```
+	 *
+	 * If this property is not set, the resource arrays will be directly returned without using envelope.
+	 * The pagination information as shown in `_links` and `_meta` can be accessed from the response HTTP headers.
+	 */
+	public $collectionEnvelope;
+	/**
+	 * @var Request the current request. If not set, the `request` application component will be used.
+	 */
+	public $request;
+	/**
+	 * @var Response the response to be sent. If not set, the `response` application component will be used.
+	 */
+	public $response;
+
+	/**
+	 * @inheritdoc
+	 */
+	public function init()
+	{
+		if ($this->request === null) {
+			$this->request = Yii::$app->getRequest();
+		}
+		if ($this->response === null) {
+			$this->response = Yii::$app->getResponse();
+		}
+	}
+
+	/**
+	 * Serializes the given data into a format that can be easily turned into other formats.
+	 * This method mainly converts the objects of recognized types into array representation.
+	 * It will not do conversion for unknown object types or non-object data.
+	 * The default implementation will handle [[Model]] and [[DataProviderInterface]].
+	 * You may override this method to support more object types.
+	 * @param mixed $data the data to be serialized.
+	 * @return mixed the converted data.
+	 */
+	public function serialize($data)
+	{
+		if ($data instanceof Model) {
+			return $data->hasErrors() ? $this->serializeModelErrors($data) : $this->serializeModel($data);
+		} elseif ($data instanceof DataProviderInterface) {
+			return $this->serializeDataProvider($data);
+		} else {
+			return $data;
+		}
+	}
+
+	/**
+	 * @return array the names of the requested fields. The first element is an array
+	 * representing the list of default fields requested, while the second element is
+	 * an array of the extra fields requested in addition to the default fields.
+	 * @see Model::fields()
+	 * @see Model::extraFields()
+	 */
+	protected function getRequestedFields()
+	{
+		$fields = $this->request->get($this->fieldsParam);
+		$expand = $this->request->get($this->expandParam);
+		return [
+			preg_split('/\s*,\s*/', $fields, -1, PREG_SPLIT_NO_EMPTY),
+			preg_split('/\s*,\s*/', $expand, -1, PREG_SPLIT_NO_EMPTY),
+		];
+	}
+
+	/**
+	 * Serializes a data provider.
+	 * @param DataProviderInterface $dataProvider
+	 * @return array the array representation of the data provider.
+	 */
+	protected function serializeDataProvider($dataProvider)
+	{
+		$models = $this->serializeModels($dataProvider->getModels());
+
+		if (($pagination = $dataProvider->getPagination()) !== false) {
+			$this->addPaginationHeaders($pagination);
+		}
+
+		if ($this->request->getIsHead()) {
+			return null;
+		} elseif ($this->collectionEnvelope === null) {
+			return $models;
+		} else {
+			$result = [
+				$this->collectionEnvelope => $models,
+			];
+			if ($pagination !== false) {
+				$result['_links'] = Link::serialize($pagination->getLinks());
+				$result['_meta'] = $pagination->toArray();
+			}
+			return $result;
+		}
+	}
+
+	/**
+	 * Adds HTTP headers about the pagination to the response.
+	 * @param Pagination $pagination
+	 */
+	protected function addPaginationHeaders($pagination)
+	{
+		$links = [];
+		foreach ($pagination->getLinks(true) as $rel => $url) {
+			$links[] = "<$url>; rel=$rel";
+		}
+
+		$this->response->getHeaders()
+			->set($this->totalCountHeader, $pagination->totalCount)
+			->set($this->pageCountHeader, $pagination->getPageCount())
+			->set($this->currentPageHeader, $pagination->getPage() + 1)
+			->set($this->perPageHeader, $pagination->pageSize)
+			->set('Link', implode(', ', $links));
+	}
+
+	/**
+	 * Serializes a model object.
+	 * @param Model $model
+	 * @return array the array representation of the model
+	 */
+	protected function serializeModel($model)
+	{
+		if ($this->request->getIsHead()) {
+			return null;
+		} else {
+			list ($fields, $expand) = $this->getRequestedFields();
+			return $model->toArray($fields, $expand);
+		}
+	}
+
+	/**
+	 * Serializes the validation errors in a model.
+	 * @param Model $model
+	 * @return array the array representation of the errors
+	 */
+	protected function serializeModelErrors($model)
+	{
+		$this->response->setStatusCode(422, 'Data Validation Failed.');
+		$result = [];
+		foreach ($model->getFirstErrors() as $name => $message) {
+			$result[] = [
+				'field' => $name,
+				'message' => $message,
+			];
+		}
+		return $result;
+	}
+
+	/**
+	 * Serializes a set of models.
+	 * @param array $models
+	 * @return array the array representation of the models
+	 */
+	protected function serializeModels(array $models)
+	{
+		list ($fields, $expand) = $this->getRequestedFields();
+		foreach ($models as $i => $model) {
+			if ($model instanceof Model) {
+				$models[$i] = $model->toArray($fields, $expand);
+			} elseif (is_array($model)) {
+				$models[$i] = ArrayHelper::toArray($model);
+			}
+		}
+		return $models;
+	}
+}

framework/rest/UpdateAction.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\Model;
+use yii\db\ActiveRecord;
+
+/**
+ * UpdateAction implements the API endpoint for updating a model.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class UpdateAction extends Action
+{
+	/**
+	 * @var string the scenario to be assigned to the model before it is validated and updated.
+	 */
+	public $scenario = Model::SCENARIO_DEFAULT;
+	/**
+	 * @var boolean whether to start a DB transaction when saving the model.
+	 */
+	public $transactional = true;
+
+
+	/**
+	 * Updates an existing model.
+	 * @param string $id the primary key of the model.
+	 * @return \yii\db\ActiveRecordInterface the model being updated
+	 * @throws \Exception if there is any error when updating the model
+	 */
+	public function run($id)
+	{
+		/** @var ActiveRecord $model */
+		$model = $this->findModel($id);
+
+		if ($this->checkAccess) {
+			call_user_func($this->checkAccess, $this->id, $model);
+		}
+
+		$model->scenario = $this->scenario;
+		$model->load(Yii::$app->getRequest()->getBodyParams(), '');
+
+		if ($this->transactional && $model instanceof ActiveRecord) {
+			if ($model->validate()) {
+				$transaction = $model->getDb()->beginTransaction();
+				try {
+					$model->update(false);
+					$transaction->commit();
+				} catch (\Exception $e) {
+					$transaction->rollback();
+					throw $e;
+				}
+			}
+		} else {
+			$model->save();
+		}
+
+		return $model;
+	}
+}

framework/rest/UrlRule.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+use yii\base\InvalidConfigException;
+use yii\helpers\Inflector;
+use yii\web\CompositeUrlRule;
+
+/**
+ * UrlRule is provided to simplify the creation of URL rules for RESTful API support.
+ *
+ * The simplest usage of UrlRule is to declare a rule like the following in the application configuration,
+ *
+ * ```php
+ * [
+ *     'class' => 'yii\rest\UrlRule',
+ *     'controller' => 'user',
+ * ]
+ * ```
+ *
+ * The above code will create a whole set of URL rules supporting the following RESTful API endpoints:
+ *
+ * - `'PUT,PATCH users/<id>' => 'user/update'`: update a user
+ * - `'DELETE users/<id>' => 'user/delete'`: delete a user
+ * - `'GET,HEAD users/<id>' => 'user/view'`: return the details/overview/options of a user
+ * - `'POST users' => 'user/create'`: create a new user
+ * - `'GET,HEAD users' => 'user/index'`: return a list/overview/options of users
+ * - `'users/<id>' => 'user/options'`: process all unhandled verbs of a user
+ * - `'users' => 'user/options'`: process all unhandled verbs of user collection
+ *
+ * You may configure [[only]] and/or [[except]] to disable some of the above rules.
+ * You may configure [[patterns]] to completely redefine your own list of rules.
+ * You may configure [[controller]] with multiple controller IDs to generate rules for all these controllers.
+ * For example, the following code will disable the `delete` rule and generate rules for both `user` and `post` controllers:
+ *
+ * ```php
+ * [
+ *     'class' => 'yii\rest\UrlRule',
+ *     'controller' => ['user', 'post'],
+ *     'except' => ['delete'],
+ * ]
+ * ```
+ *
+ * The property [[controller]] is required and should be the controller ID. It should be prefixed with
+ * the module ID if the controller is within a module.
+ *
+ * The controller ID used in the pattern will be automatically pluralized (e.g. `user` becomes `users`
+ * as shown in the above examples). You may configure [[urlName]] to explicitly specify the controller ID
+ * in the pattern.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class UrlRule extends CompositeUrlRule
+{
+	/**
+	 * @var string the common prefix string shared by all patterns.
+	 */
+	public $prefix;
+	/**
+	 * @var string the suffix that will be assigned to [[\yii\web\UrlRule::suffix]] for every generated rule.
+	 */
+	public $suffix;
+	/**
+	 * @var string|array the controller ID (e.g. `user`, `post-comment`) that the rules in this composite rule
+	 * are dealing with. It should be prefixed with the module ID if the controller is within a module (e.g. `admin/user`).
+	 *
+	 * By default, the controller ID will be pluralized automatically when it is put in the patterns of the
+	 * generated rules. If you want to explicitly specify how the controller ID should appear in the patterns,
+	 * you may use an array with the array key being as the controller ID in the pattern, and the array value
+	 * the actual controller ID. For example, `['u' => 'user']`.
+	 *
+	 * You may also pass multiple controller IDs as an array. If this is the case, this composite rule will
+	 * generate applicable URL rules for EVERY specified controller. For example, `['user', 'post']`.
+	 */
+	public $controller;
+	/**
+	 * @var array list of acceptable actions. If not empty, only the actions within this array
+	 * will have the corresponding URL rules created.
+	 * @see patterns
+	 */
+	public $only = [];
+	/**
+	 * @var array list of actions that should be excluded. Any action found in this array
+	 * will NOT have its URL rules created.
+	 * @see patterns
+	 */
+	public $except = [];
+	/**
+	 * @var array patterns for supporting extra actions in addition to those listed in [[patterns]].
+	 * The keys are the patterns and the values are the corresponding action IDs.
+	 * These extra patterns will take precedence over [[patterns]].
+	 */
+	public $extraPatterns = [];
+	/**
+	 * @var array list of tokens that should be replaced for each pattern. The keys are the token names,
+	 * and the values are the corresponding replacements.
+	 * @see patterns
+	 */
+	public $tokens = [
+		'{id}' => '<id:\\d[\\d,]*>',
+	];
+	/**
+	 * @var array list of possible patterns and the corresponding actions for creating the URL rules.
+	 * The keys are the patterns and the values are the corresponding actions.
+	 * The format of patterns is `Verbs Pattern`, where `Verbs` stands for a list of HTTP verbs separated
+	 * by comma (without space). If `Verbs` is not specified, it means all verbs are allowed.
+	 * `Pattern` is optional. It will be prefixed with [[prefix]]/[[controller]]/,
+	 * and tokens in it will be replaced by [[tokens]].
+	 */
+	public $patterns = [
+		'PUT,PATCH {id}' => 'update',
+		'DELETE {id}' => 'delete',
+		'GET,HEAD {id}' => 'view',
+		'POST' => 'create',
+		'GET,HEAD' => 'index',
+		'{id}' => 'options',
+		'' => 'options',
+	];
+	/**
+	 * @var array the default configuration for creating each URL rule contained by this rule.
+	 */
+	public $ruleConfig = [
+		'class' => 'yii\web\UrlRule',
+	];
+	/**
+	 * @var boolean whether to automatically pluralize the URL names for controllers.
+	 * If true, a controller ID will appear in plural form in URLs. For example, `user` controller
+	 * will appear as `users` in URLs.
+	 * @see controllers
+	 */
+	public $pluralize = true;
+
+
+	/**
+	 * @inheritdoc
+	 */
+	public function init()
+	{
+		if (empty($this->controller)) {
+			throw new InvalidConfigException('"controller" must be set.');
+		}
+
+		$controllers = [];
+		foreach ((array)$this->controller as $urlName => $controller) {
+			if (is_integer($urlName)) {
+				$urlName = $this->pluralize ? Inflector::pluralize($controller) : $controller;
+			}
+			$controllers[$urlName] = $controller;
+		}
+		$this->controller = $controllers;
+
+		$this->prefix = trim($this->prefix, '/');
+
+		parent::init();
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	protected function createRules()
+	{
+		$only = array_flip($this->only);
+		$except = array_flip($this->except);
+		$patterns = array_merge($this->patterns, $this->extraPatterns);
+		$rules = [];
+		foreach ($this->controller as $urlName => $controller) {
+			$prefix = trim($this->prefix . '/' . $urlName, '/');
+			foreach ($patterns as $pattern => $action) {
+				if (!isset($except[$action]) && (empty($only) || isset($only[$action]))) {
+					$rules[$urlName][] = $this->createRule($pattern, $prefix, $controller . '/' . $action);
+				}
+			}
+		}
+		return $rules;
+	}
+
+	/**
+	 * Creates a URL rule using the given pattern and action.
+	 * @param string $pattern
+	 * @param string $prefix
+	 * @param string $action
+	 * @return \yii\web\UrlRuleInterface
+	 */
+	protected function createRule($pattern, $prefix, $action)
+	{
+		$verbs = 'GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS';
+		if (preg_match("/^((?:($verbs),)*($verbs))(?:\\s+(.*))?$/", $pattern, $matches)) {
+			$verbs = explode(',', $matches[1]);
+			$pattern = isset($matches[4]) ? $matches[4] : '';
+		} else {
+			$verbs = [];
+		}
+
+		$config = $this->ruleConfig;
+		$config['verb'] = $verbs;
+		$config['pattern'] = rtrim($prefix . '/' . strtr($pattern, $this->tokens), '/');
+		$config['route'] = $action;
+		if (!in_array('GET', $verbs)) {
+			$config['mode'] = \yii\web\UrlRule::PARSING_ONLY;
+		}
+		$config['suffix'] = $this->suffix;
+
+		return Yii::createObject($config);
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function parseRequest($manager, $request)
+	{
+		$pathInfo = $request->getPathInfo();
+		foreach ($this->rules as $urlName => $rules) {
+			if (strpos($pathInfo, $urlName) !== false) {
+				foreach ($rules as $rule) {
+					/** @var \yii\web\UrlRule $rule */
+					if (($result = $rule->parseRequest($manager, $request)) !== false) {
+						Yii::trace("Request parsed with URL rule: {$rule->name}", __METHOD__);
+						return $result;
+					}
+				}
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * @inheritdoc
+	 */
+	public function createUrl($manager, $route, $params)
+	{
+		foreach ($this->controller as $urlName => $controller) {
+			if (strpos($route, $controller) !== false) {
+				foreach ($this->rules[$urlName] as $rule) {
+					/** @var \yii\web\UrlRule $rule */
+					if (($url = $rule->createUrl($manager, $route, $params)) !== false) {
+						return $url;
+					}
+				}
+			}
+		}
+		return false;
+	}
+}

framework/rest/ViewAction.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\rest;
+
+use Yii;
+
+/**
+ * ViewAction implements the API endpoint for returning the detailed information about a model.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class ViewAction extends Action
+{
+	/**
+	 * Displays a model.
+	 * @param string $id the primary key of the model.
+	 * @return \yii\db\ActiveRecordInterface the model being displayed
+	 */
+	public function run($id)
+	{
+		$model = $this->findModel($id);
+		if ($this->checkAccess) {
+			call_user_func($this->checkAccess, $this->id, $model);
+		}
+		return $model;
+	}
+}

framework/web/IdentityInterface.php

@@ -52,6 +52,14 @@ interface IdentityInterface
 	 */
 	public static function findIdentity($id);
 	/**
+	 * Finds an identity by the given secrete token.
+	 * @param string $token the secrete token
+	 * @return IdentityInterface the identity object that matches the given token.
+	 * Null should be returned if such an identity cannot be found
+	 * or the identity is not in an active state (disabled, deleted, etc.)
+	 */
+	public static function findIdentityByAccessToken($token);
+	/**
 	 * Returns an ID that can uniquely identify a user identity.
 	 * @return string|integer an ID that uniquely identifies a user identity.
 	 */

framework/web/Link.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\web;
+
+use yii\base\Arrayable;
+use yii\base\Object;
+
+/**
+ * Link represents a link object as defined in [JSON Hypermedia API Language](https://tools.ietf.org/html/draft-kelly-json-hal-03).
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class Link extends Object implements Arrayable
+{
+	/**
+	 * The self link.
+	 */
+	const REL_SELF = 'self';
+
+	/**
+	 * @var string a URI [RFC3986](https://tools.ietf.org/html/rfc3986) or
+	 * URI template [RFC6570](https://tools.ietf.org/html/rfc6570). This property is required.
+	 */
+	public $href;
+	/**
+	 * @var string a secondary key for selecting Link Objects which share the same relation type
+	 */
+	public $name;
+	/**
+	 * @var string a hint to indicate the media type expected when dereferencing the target resource
+	 */
+	public $type;
+	/**
+	 * @var boolean a value indicating whether [[href]] refers to a URI or URI template.
+	 */
+	public $templated = false;
+	/**
+	 * @var string a URI that hints about the profile of the target resource.
+	 */
+	public $profile;
+	/**
+	 * @var string a label describing the link
+	 */
+	public $title;
+	/**
+	 * @var string the language of the target resource
+	 */
+	public $hreflang;
+
+	/**
+	 * @inheritdoc
+	 */
+	public function toArray()
+	{
+		return array_filter((array)$this);
+	}
+
+	/**
+	 * Serializes a list of links into proper array format.
+	 * @param array $links the links to be serialized
+	 * @return array the proper array representation of the links.
+	 */
+	public static function serialize(array $links)
+	{
+		foreach ($links as $rel => $link) {
+			if (is_array($link)) {
+				foreach ($link as $i => $l) {
+					$link[$i] = $l instanceof self ? $l->toArray() : ['href' => $l];
+				}
+				$links[$rel] = $link;
+			} elseif (!$link instanceof self) {
+				$links[$rel] = ['href' => $link];
+			}
+		}
+		return $links;
+	}
+}

framework/web/Linkable.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\web;
+
+/**
+ * Linkable is the interface that should be implemented by classes that typically represent locatable resources.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+interface Linkable
+{
+	/**
+	 * Returns a list of links.
+	 *
+	 * Each link is either a URI or a [[Link]] object. The return value of this method should
+	 * be an array whose keys are the relation names and values the corresponding links.
+	 *
+	 * If a relation name corresponds to multiple links, use an array to represent them.
+	 *
+	 * For example,
+	 *
+	 * ```php
+	 * [
+	 *     'self' => 'http://example.com/users/1',
+	 *     'friends' => [
+	 *         'http://example.com/users/2',
+	 *         'http://example.com/users/3',
+	 *     ],
+	 *     'manager' => $managerLink, // $managerLink is a Link object
+	 * ]
+	 * ```
+	 *
+	 * @return array the links
+	 */
+	public function getLinks();
+}

framework/web/UrlRule.php

@@ -199,7 +199,7 @@ class UrlRule extends Object implements UrlRuleInterface
 			return false;
 		}
 
-		if ($this->verb !== null && !in_array($request->getMethod(), $this->verb, true)) {
+		if (!empty($this->verb) && !in_array($request->getMethod(), $this->verb, true)) {
 			return false;
 		}
 

framework/web/User.php

@@ -211,6 +211,23 @@ class User extends Component
 	}
 
 	/**
+	 * Logs in a user by the given access token.
+	 * Note that unlike [[login()]], this method will NOT start a session to remember the user authentication status.
+	 * Also if the access token is invalid, the user will remain as a guest.
+	 * @param string $token the access token
+	 * @return IdentityInterface the identity associated with the given access token. Null is returned if
+	 * the access token is invalid.
+	 */
+	public function loginByAccessToken($token)
+	{
+		/** @var IdentityInterface $class */
+		$class = $this->identityClass;
+		$identity = $class::findIdentityByAccessToken($token);
+		$this->setIdentity($identity);
+		return $identity;
+	}
+
+	/**
 	 * Logs in a user by cookie.
 	 *
 	 * This method attempts to log in a user using the ID and authKey information

tests/unit/framework/base/ModelTest.php

@@ -147,7 +147,7 @@ class ModelTest extends TestCase
 		$this->assertTrue($speaker->hasErrors('firstName'));
 		$this->assertFalse($speaker->hasErrors('lastName'));
 
-		$this->assertEquals(['Something is wrong!'], $speaker->getFirstErrors());
+		$this->assertEquals(['firstName' => 'Something is wrong!'], $speaker->getFirstErrors());
 		$this->assertEquals('Something is wrong!', $speaker->getFirstError('firstName'));
 		$this->assertNull($speaker->getFirstError('lastName'));