Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

ACL not working in Phalcon

I am trying to write a REST API Micro program, and write acl based on the V3.2 documentation and the INVO example.

if it goes well, should not receive data from getUserList. or throw Exception.

But no matter how I change it, I receive the data as if the ACL never worked. and Exception not throw out.

Does not seem to work,

Please tell me where there is a error?


namespace App;

use Phalcon\Acl;
use Phalcon\Acl\Role;
use Phalcon\Acl\Resource;
use Phalcon\Events\Event;
use Phalcon\Mvc\User\Plugin;
use Phalcon\Mvc\Dispatcher;
use Phalcon\Acl\Adapter\Memory;

use App\Controllers\HttpExceptions;
use App\Controllers\HttpExceptions\Http422Exception;

class Security extends Plugin
    public function getAcl()
        $acl = new \Phalcon\Acl\Adapter\Memory();

        $roleAdmins = new Role('admin');
        $acl->addRole( $roleAdmins);
        //  \App\Model\Users
        $usersResource = new Resource('Users');
        // getUserListAction
        $acl->allow($roleAdmins, 'Users', 'getUserList');

        return $acl;


    public function beforeExecuteRoute(Event $event, Dispatcher $dispatcher){
        $role = 'guest';
        $controller = $dispatcher->getControllerClass();
        $action =$dispatcher->getActionName();
        $acl= $this->getAcl();

        if (!$controller) {
            throw new Http422Exception(_('Err a'));
            return false;

        if (!$action) {
            throw new Http422Exception(_('Err b'));
            return false;

        if (!$acl->isResource($controller)) {
            throw new Http422Exception(_('Err c'));
            return false;

        $allowed = $acl->isAllowed($role, $controller, $action);
        if (!$allowed) {
            throw new Http422Exception(_('Err d'));
            return false;
// di.php
    function() {
        $eventManager = new Phalcon\Events\Manager();
        $eventManager->attach('dispatch:beforeExecuteRoute', new \App\Security);

        $dispatcher = new \Phalcon\Mvc\Dispatcher();
        return $dispatcher;

edited Dec '17

There is no dispatcher in micro app.

You can use $router->getMatchedRoute() and named routes for acl.