ACL Implementation in CakePHP version 3

  • Post published:October 6, 2015

ACL (Access Control List) is an important feature of any application/software. It is a basic requirement for such an application or a software which has different types of users with different access levels/controls. CakePHP is one of the most popular web application framework. It follows MVC (Model-View-Controller) approach and is used for rapid application development.

While developing an application, we might need ACL for it. The versions of CakePHP prior to 3.0 were having built-in ACL. But since version 3.0 of CakePHP, ACL is no more part of this framework, as mentioned in AuthComponent section of Migration Guide for CakePHP 3. To help out in a situation where one can need ACL in CakePHP 3, a plugin is available on Github.

ACL plugin from Github:

The plugin is developed by Walther Lalk. Though it is a non-stable plugin as mentioned in the plugin page on Github but this is a good solution available at time of our need.

The installation guide is given on plugin page. After installing and creating tables by migration command, you may face a big question of “How to implement ACL in your application that is built in CakePHP 3?“.

There is no proper documentation available for the usage of this plugin. Even developers who were having experience of implementing ACL in older versions also faced this problem. As vteams also went through this problem and found its solution, we would like to share our experience and learning with developers community as well.

The challenges we encountered were as follows:

  • Non-Stable Plugin
  • No documentation available


We had to analyze the complete plugin code to understand how it works as no proper documentation is available for the plugin. We had to change the definitions of some plugin functions to adjust the plugin according to our requirement. Through the analysis, we learned how to use the following functions of the plugin:

  • Create ACO (Access Control Object)
  • Create ARO (Access Request Object)
  • Delete an ACL node
  • How to get the path of an ACL node using the get_path function
  • Check the permission between an ACO and ARO
  • Use grant to grant an ARO permission to an ACO
  • Use view to see the tree structure of nodes

We also learned how to use the above methods in CLI (Command Line Interface). To make it stable, we had to improve the plugin according to our application requirement. For this, we added some interfaces for administrator user from where he can control the ACL Users. We also created an interface to manage the Access Control Object (ACO). But obviously this ACO manager could only be used by the technical user i.e. Developer. Only developer could list, create and delete ACO.

After the structure of ACL is built up, we had to apply the custom checks in the Controllers. The best way is to apply the checks in isAuthorized function of controller. We can also apply the checks in AppController before Filter function but for that, we have to use the redirection if the check return is false.


As a result, we successfully implemented the USER ACL in our cake 3 application. Administrator User can easily manage the access for all the ACL Users. Currently up to three-level access has been implemented in our application:

  1. Group Level
  2. User Level
  3. Functions level