diff --git a/app/listeners/AclListener.php b/app/listeners/AclListener.php index dd787fd..ab4ebb7 100644 --- a/app/listeners/AclListener.php +++ b/app/listeners/AclListener.php @@ -4,7 +4,8 @@ namespace App\Listener; use Phalcon\Events\Event, Phalcon\Mvc\Dispatcher, - Phalcon\Mvc\User\Plugin; + Phalcon\Mvc\User\Plugin, + Phalcon\Mvc\Dispatcher\Exception as DispatcherException; use Httpcb\Acl; @@ -15,6 +16,12 @@ class AclListener extends Plugin 'error' ]; + /** + * @param Event $event + * @param Dispatcher $dispatcher + * @return bool + * @throws DispatcherException + */ public function beforeExecuteRoute(Event $event, Dispatcher $dispatcher) : bool { // We only have two roles for now, authenticated users and guests. @@ -36,11 +43,24 @@ class AclListener extends Plugin // this role does not have access to this resource. if ($this->acl->isAllowed($role, $resource) === false) { - // Forward to login page. - $dispatcher->forward(array( - 'controller' => 'auth', - 'action' => 'index', - )); + // Has identity or acl_redirect flag set. + // Throw a "handler not found" exception in this case. + if ($this->auth->hasIdentity() || $this->session->has('acl_redirect')) { + + // Unset redirect flag first. + unset($this->session->acl_redirect); + + $msg = sprintf("Role '%s' not allowed access to resource '%s'", $role, $resource); + throw new DispatcherException($msg, Dispatcher::EXCEPTION_HANDLER_NOT_FOUND); + } + + // Redirect to login page + $this->response->redirect(['for' => 'login']); + + // And set a flag in session. if we do not have access to that + // resource either. we should not redirect again. + $this->session->set('acl_redirect', true); + // Return false to stop the dispatch loop. return false;