In my yii webapplication i disable and enable several url s to set privilege. But the same url can be accessed to a user that haven't the privilege to acces that url by copying the url or getting it form some where. What should i do to avoid this?

In controller

the function behaviors is for this. you can find the doc in yii2 guide filters (core filter / access control).

This a medium complexity sample for rules (allow only index, view, mpdf-form for roles viewerApp and viewModule1. Allow all access to roles superAdmin, admin, managerModule1, managerApp)

public function behaviors()
{
    return [
        'access' => [
            'class' => AccessControl::className(),
            'rules' => [
                [
                    'actions' => ['index','view', 'mpdf-form'],
                    'allow' => true,
                    'roles' => ['vieweApp', 'viewerModule1'],
                ],
                [
                    'allow' => true,
                    'roles' => ['superAdmin', 'admin', 'managerModule1', 'managerApp'],
                ],   
            ],
        ],         
        'verbs' => [
            'class' => VerbFilter::className(),
            'actions' => [
                'delete' => ['post'],
            ],
        ],
    ];
}