Blog Post

Fixing Magento Admin Controllers

    Jul 10, 2015, 9:53:00 AM 
  • Magepim
  • comments
  • Magento

broken

July the 7th saw the release of Magento CE 1.9.2 and a security patch - SUPEE-6285 which fixed various security issues especially around the admin side of things.

One side effect of this was that various 3rd party extensions would not allow access to their admin pages for admin users that were assigned to a custom permissions group due to the way Magento checks whether the user has the necessary admin rights.

Many 3rd party extensions did not implement the _isAllowed method on their admin controllers which meant that it would use the base class Mage_Adminhtml_Controller_Action _isAllowed method which simply returned true.  The update to Magento changed all this and now checks whether the admin session allows access to the requested admin pages.

In order to fix your extensions or get 3rd party extensions working again for customer permission groups, all you have to do is simply reimplement this method in your admin controller and point it to the extensions ACL as in the following example.

<acl>
            <resources>
                <admin>
                    <children>
                        <mymodule translate="title" module="mymodule">
                           <!-- Your ACL settings-->
                        </mymodule>
                     </children>
                </admin>
            </resources>
</acl>

ACL xml for your extension

class MyCompany_MyExtension_AdminhtmlController extends Mage_Adminhtml_Controller_Action
{

    /**
     * Check is allowed access to action
     *
     * @return bool
     */
    protected function _isAllowed()
    {
        return Mage::getSingleton('admin/session')->isAllowed('mymodule');
    }


   /**
    * Rest of your controller code
    */

Admin Controller for your extension

 

Of course, if you have 3rd party extensions that have this issue your first port of call should be contacting them and making them aware of the issue.

comments powered by Disqus