app/listeners/AclListener.php: improve error handling when access is denied.

app/listeners/AclListener.php

@@ -4,7 +4,8 @@ namespace App\Listener;
 
 use Phalcon\Events\Event,
     Phalcon\Mvc\Dispatcher,
-    Phalcon\Mvc\User\Plugin;
+    Phalcon\Mvc\User\Plugin,
+    Phalcon\Mvc\Dispatcher\Exception as DispatcherException;
 
 use Httpcb\Acl;
 
@@ -15,6 +16,12 @@ class AclListener extends Plugin
         'error'
     ];
 
+    /**
+     * @param Event $event
+     * @param Dispatcher $dispatcher
+     * @return bool
+     * @throws DispatcherException
+     */
     public function beforeExecuteRoute(Event $event, Dispatcher $dispatcher) : bool
     {
         // We only have two roles for now, authenticated users and guests.
@@ -36,11 +43,24 @@ class AclListener extends Plugin
         // this role does not have access to this resource.
         if ($this->acl->isAllowed($role, $resource) === false) {
 
-            // Forward to login page.
+            // Has identity or acl_redirect flag set.
-            $dispatcher->forward(array(
+            // Throw a "handler not found" exception in this case.
-                'controller' => 'auth',
+            if ($this->auth->hasIdentity() || $this->session->has('acl_redirect')) {
-                'action'     => 'index',
+
-            ));
+                // Unset redirect flag first.
+                unset($this->session->acl_redirect);
+
+                $msg = sprintf("Role '%s' not allowed access to resource '%s'", $role, $resource);
+                throw new DispatcherException($msg, Dispatcher::EXCEPTION_HANDLER_NOT_FOUND);
+            }
+
+            // Redirect to login page
+            $this->response->redirect(['for' => 'login']);
+
+            // And set a flag in session. if we do not have access to that
+            // resource either. we should not redirect again.
+            $this->session->set('acl_redirect', true);
+
 
             // Return false to stop the dispatch loop.
             return false;