In general, you want a short-circuited sending process, returning a response. During route or dispatch you can return a response to stop the usual stop of the code stream and directly complete the result. In the case of ACL verification, it is very likely that you want to return the response earlier and redirect to the user login page.
You either create a response in the controller, or check the return value of the plugin and redirect its response. Note that the second method is similar to how the PRG plugin works .
An example of the first method:
use Zend\Mvc\Controller\AbstractActionController; class MyController extends AbstractActionController { public function fooAction() { if (!$this->aclAllowsAccess()) {
An example of using the PRG plugin:
use Zend\Mvc\Controller\AbstractActionController; use Zend\Http\Response; class MyController extends AbstractActionController { public function fooAction() { $result = $this->aclCheck(); if ($result instanceof Response) {
Then the plugin could look like this (in the second case):
use Zend\Mvc\Controller\Plugin\AbstractPlugin; class AclCheck extends AbstractPlugin { public function __invoke() {
In your question you say:
[...] it does not work, because a plug-in requires a controller.
This can be a problem inside the controller plugin if you want to do $this->getController() in the plugin. You must either extend Zend\Mvc\Controller\Plugin\AbstractPlugin or implement Zend\Mvc\Controller\Plugin\PluginInterface to make sure your ACL plugin is injected with the controller.
If you do not want this, there is an alternative in which you directly return an answer that you create yourself. This is a little less flexible, and you create a response object, while there is already a response object (causing possible conflicts with both answers), but the plugin code will change as follows:
use Zend\Mvc\Controller\Plugin\AbstractPlugin; use Zend\Http\PhpEnvironment\Response; class AclCheck extends AbstractPlugin { public function __invoke() {