We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Granting Roles accesses to specific resource IDs?

My application has the following definitions:

  • Users (Roles)
  • Accounts/Items (Resources)
  • Full/List/View/Update/Delete (Accesses)
  • Account IDs (Resource IDs - each account has a unique ID...)


  • Acls seem to only take into account Roles, Resources, Accesses. What about accesses on specific Resources designated by a resource_id?
  • The entire Acl is in the database using the incubator's Acl Database Adapter, not in memory.


To allow/deny each user the ability to perform "access" on a specific "resource" identified by "resource_id"

Example: We have 10 accounts. Account ids 1 - 10.

  • User1 has full access to Accounts 1 - 5
  • User2 has full access to Accounts 6 - 9
  • User3 has full access to Accounts 10
  • User3 can also List/View Accounts 2, 5, 9.

// Doesn't take into account the account_id!!

if(!$this->isAllowed('User1', 'Account', 'View')) {

... Denied! ...

return false;


... approved ...

Possible solution:

I've been toying with the idea of extending the Acl Database Adapter by adding a "resource_id" column to the access_list and updating the code to check that as an additional parameter.

What are your thoughts?

Hi @Steven you must implement an annonimous function to validate that check the docs

// Set access level for role into resources with custom function when you pass the resource id
    function ($id) {
        return $id >= 1 && $id <= 5; //1 and 5 probably get from db

//then when you validate
        'id' => 4, //nice 

Good luck

edited Aug '17

Well the problem is that he uses Database adapter, not sure if this will work, most certainly not. This code from above is for Memory adapter, you can check it code in repository and make similar thing for Database, but im not really sure how it should actually work, just database adapter doesn't fit for this requirment really.


I ended up customizing the database adapter from the incubator to fit my needs.

I just added a resource_id to the access_list table and updated the code to match accordingly. Works like a charm :)