I would like to deny access to the private areas on my website. But I don't know what I am doing wrong.
I don't want to use Acl::DENY as the default rule.
Instead I am using Acl::ALLOW as the global rule and denying access to the private resources.
Here is my code:
<?php
use Phalcon\Acl;
use Phalcon\Acl\Role;
use Phalcon\Acl\Resource;
use Phalcon\Events\Event;
use Phalcon\Mvc\User\Plugin;
use Phalcon\Mvc\Dispatcher;
use Phalcon\Acl\Adapter\Memory as AclList;
class SecurityPlugin extends Plugin {
public function getAcl() {
if (!isset($this->persistent->acl)) {
$acl = new AclList();
$acl->setDefaultAction(Acl::ALLOW);
$roles = array(
'admin' => new Role('Administrators'),
'guests' => new Role('Guests')
);
foreach ($roles as $role) {
$acl->addRole($role);
}
//Private area resources
$privateResources = array(
'admin' => array('index'),
'products' => array('index', 'search', 'new');
foreach ($privateResources as $resource => $actions) {
$acl->addResource(new Resource($resource), $actions);
}
foreach ($privateResources as $resource => $actions) {
foreach ($actions as $action) {
$acl->deny('Guests', $resource, $action);
}
}
}
return $this->persistent->acl;
}
public function beforeDispatch(Event $event, Dispatcher $dispatcher) {
$auth = $this->session->get('auth');
if (!$auth) {
$role = 'Guests';
} else {
$role = 'Admin';
}
$controller = $dispatcher->getControllerName();
$action = $dispatcher->getActionName();
$acl = $this->getAcl();
$allowed = $acl->isAllowed($role, $controller, $action);
if ($allowed != Acl::ALLOW) {
$dispatcher->forward(array(
'controller' => 'errors',
'action' => 'show401'
));
$this->session->destroy();
return false;
}
}
}
Thank you, for trying to help me.
