We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

ACL not working in Phalcon

I am trying to write a REST API Micro program, and write acl based on the V3.2 documentation and the INVO example.

if it goes well, should not receive data from getUserList. or throw Exception.

But no matter how I change it, I receive the data as if the ACL never worked. and Exception not throw out.

Does not seem to work,

Please tell me where there is a error?


namespace App;

use Phalcon\Acl;
use Phalcon\Acl\Role;
use Phalcon\Acl\Resource;
use Phalcon\Events\Event;
use Phalcon\Mvc\User\Plugin;
use Phalcon\Mvc\Dispatcher;
use Phalcon\Acl\Adapter\Memory;

use App\Controllers\HttpExceptions;
use App\Controllers\HttpExceptions\Http422Exception;

class Security extends Plugin
    public function getAcl()
        $acl = new \Phalcon\Acl\Adapter\Memory();

        $roleAdmins = new Role('admin');
        $acl->addRole( $roleAdmins);
        //  \App\Model\Users
        $usersResource = new Resource('Users');
        // getUserListAction
        $acl->allow($roleAdmins, 'Users', 'getUserList');

        return $acl;


    public function beforeExecuteRoute(Event $event, Dispatcher $dispatcher){
        $role = 'guest';
        $controller = $dispatcher->getControllerClass();
        $action =$dispatcher->getActionName();
        $acl= $this->getAcl();

        if (!$controller) {
            throw new Http422Exception(_('Err a'));
            return false;

        if (!$action) {
            throw new Http422Exception(_('Err b'));
            return false;

        if (!$acl->isResource($controller)) {
            throw new Http422Exception(_('Err c'));
            return false;

        $allowed = $acl->isAllowed($role, $controller, $action);
        if (!$allowed) {
            throw new Http422Exception(_('Err d'));
            return false;
// di.php
    function() {
        $eventManager = new Phalcon\Events\Manager();
        $eventManager->attach('dispatch:beforeExecuteRoute', new \App\Security);

        $dispatcher = new \Phalcon\Mvc\Dispatcher();
        return $dispatcher;

edited Dec '17

There is no dispatcher in micro app.


You can use $router->getMatchedRoute() and named routes for acl.