We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

ACL - Checking allowed access to an undefined access returns true

Hi, first of all many thanks for develop, support and share this excellent framework.

Before post this question, I tried to find answer to my problem but I could't be able to find it.

I'm using ACL to control the access to some functionallity of my code. Everything were ok until I made a typo error. In an isAllowed checking I got a true at checking a non defined access in a role.

I show you the code:

   $acl = new AclList();
   $acl->setDefaultAction(Acl::DENY); //by default deny for all defined permissions
   $adminRole = new Role('Admin', 'Administrator');

   $fooController = new Resource('FooController');
    [ 'fooAction', 'barAction']

    $acl->allow($adminRole->getName(), $fooController->getName(), '*');  //using wildcard for the access

    $checkFoo = $acl->isAllowed($adminRole->getName(), 
                            "fooAction");  // return true (OK)

    //next line return true (but the access 'baAction' is not defined as a part of the resource,
    //the correct one would be 'barAction'. 
    $checkBar = $acl->isAllowed($adminRole->getName(), 

I expected to get an error or at least a false.

I'm using Phalcon 3.2.4 .

Thank you so much for read this.

Notice that you added wildcard access. so it will allow everything, even non exisitng actions. I guess we should check for actions actually exists, but still, you have acess to it.


Thanks for your quick response. Yes, I added a wildcard access because in my context it's needed. I had expected that the ACL would check the validity of that. This behaviour is documented?

Thanks again.