We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

beforeException and beforeDispatch confusion

In the securing invo guide there are two dispatchers attached to the event manager, one for securing the controllers while the other is to control not found exceptions.

/**
     * Check if the user is allowed to access certain action using the SecurityPlugin
     */
    $eventsManager->attach('dispatch:beforeDispatch', new SecurityPlugin);
    /**
     * Handle exceptions and not-found exceptions using NotFoundPlugin
     */
    $eventsManager->attach('dispatch:beforeException', new NotFoundPlugin);

Since beforeDispatch is dispatched first in the event loop, non existent controllers or actions will be catched by the security plugin when they should be catched by the notfound plugin.

How can I change this behaviour? I want non existent controllers or action to be catched by the notfound plugin and not the security one.

Thanks



3.8k
Accepted
answer
edited Dec '15

Hello, I think you can change the behaviour of ACL to not DENY by default. INVO SecurityPlugin has ACL set as:

$acl->setDefaultAction(Acl::DENY);

By changing this, you should modify the SecurityPlugin to only RESTRICT access to specific resources. Instead of ALLOWING specific resources.

When this behaviour is inverted, the SecurityPlugin will allow even non existent actions to dispatch.

EDIT 1: fix typos

I wasn't aware of that default behaviour, I will to make some changes in the logic of accessing resources.

Thanks you

Hello, I think you can change the behaviour of ACL to not DENY by default. INVO SecurityPlugin has ACL set as:

$acl->setDefaultAction(Acl::DENY);

By changing this, you should modify the SecurityPlugin to only RESTRICT access to specific resources. Instead of ALLOWING specific resources.

When this behaviour is inverted, the SecurityPlugin will allow even non existent actions to dispatch.

EDIT 1: fix typos