The examples on this site are currently tested to work on Phalcon V3.4 and Phalcon Devtools V3.2 Some issues may arise when using later versions.

Please get in touch or post a comment below the post if you encounter a problem.

In the last post we managed to lock down the system so an user could only access those actions in the Controller to which they were given access in the dbaccesscontrollist. The security plugin will attempt to forward the application to the show401Action if the user is not authorised and to the show404Action if the resource is not found. In this step we will create a simple ErrorsController to handle these errors. The following code has been adapted from the Phalcon Invo example.

Save the following code to app/controllers/ErrorsController.php

<?php
class ErrorsController extends ControllerBase
{
    public function show404Action()
    {

    }

    public function show401Action()
    {

    }
}
?>
The empty action functions are there to call the views.

Save the following file to apps/views/errors/show401.volt

{{ content() }}
<div class="jumbotron">
    <h1>Not authorized</h1>
    <p>You are not authorized to view this page</p>
    <p>{{ link_to('member', 'search', 'class': 'btn btn-primary') }}</p>
</div>

Now save the following code to app/views/errors/show404.volt

{{ content() }}
<div class="jumbotron">
    <h1>Page not found</h1>
    <p>Sorry, you have accessed a page that does not exist or was moved</p>
    <p>{{ link_to('member', 'search', 'class': 'btn btn-primary') }}</p>
</div>

Before you go any further you will need to modify the access control list to ensure that the Errors Controller is accessible. All roles should be able to access all actions of the Errors Controller all the time. To do this - switch off the SecurityPlugin by commenting out that section at the bottom  of the app/config/services.php file. Now visit http://localhost/tennisClub/dbaccesscontrollist/setAccessControl/errors 

Make sure every box is checked!

Managing security that is stored in sessions can get very confusing. One reason for this is that the webserver may continue to hold session information even if you restart the webserver! So even if you think you're not logged in, which would leave you defaulting as a 'Guest' user you may still be logged in from a previous session. Xampp stores session information in xampp\tmp so if you delete the files in here it's as good as destroying the session. This can be handy in a jam. 

Where necessary you can call http://localhost/tennisClub/user/logout to destroy your session. You're now logging in, logging out, locking down and handling errors!