What authorization?

I need your help, Comrades.
Found a glitch in the system authorization. If you turn on address: sitename.ru/admin it throws on sitename.ru/site/login it's okay, I thought so. Until I moved to the address sitename.ru/admin/category instead of category , you can substitute any other controller that exists. I calmly turn and the site opens the admin panel without authorization.
As such it is possible to fix it?
July 2nd 19 at 14:07
2 answers
July 2nd 19 at 14:09
Good evening.
Close each controller in yii\filters\AccessControl
Or configure rbac.

p.s. Click here for more information
July 2nd 19 at 14:11
For myself, I did so.
I created a function in the parent class that redirects from any page in the admin, if the user is not authorized
public function beforeAction($action) {
 if (Yii::$app->user->isGuest) {
 return Yii::$app->getResponse()->redirect(Url::to(['/site/login/']));
 return parent::beforeAction($action);

Find more questions by tags YiiUser identification