Blog

Fixing Magento Admin Controllers

  • Jul 10, 2015, 9:53:00 AM 
  • Magepim
  • comments
  • Magento

broken

July the 7th saw the release of Magento CE 1.9.2 and a security patch - SUPEE-6285 which fixed various security issues especially around the admin side of things.

One side effect of this was that various 3rd party extensions would not allow access to their admin pages for admin users that were assigned to a custom permissions group due to the way Magento checks whether the user has the necessary admin rights.

Many 3rd party extensions did not implement the _isAllowed method on their admin controllers which meant that it would use the base class Mage_Adminhtml_Controller_Action _isAllowed method which simply returned true.  The update to Magento changed all this and now checks whether the admin session allows access to the requested admin pages.