After installing the SUPEE-6285 patch on our Magento 1.7.0.2 store the system is showing an "Access Denied" error when attempting to access all custom modules for users who have selective permissions (not all permissions). Screenshot below.
The user permissions are properly set in Role Resources and we have re-applied the permission settings to ensure these are set.
The problem has been reproduced across multiple custom extensions so it isn't just a single extension that isn't working.
I have logged out/in, cleared the cache and confirmed that the compiler is disabled.
Can anyone suggest how to troubleshoot this?
Best Answer
As written here:
If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of
Mage_Adminhtml_Controller_Action::_isAllowed()
has been changed fromtrue
toMage::getSingleton('admin/session')->isAllowed('admin')
. Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL" privilege.The only solution is to patch the extensions and add this method to all their admin controllers:
Or if they actually have an ACL resource defined in
etc/adminhtml.xml
:How to determine the resource identifier
This is how an
adminhtml.xml
might look like:Take the node names below
acl/resources/admin/children
, skipping followingchildren
nodes.How to create missing resource identifiers
If there is only a
<menu>
definition but no<acl>
definition, you can also define your own (it does not have to be within the same module, so no 3rd party files have to be modified)::Copy everything below
menu
toacl/resources/admin/children
and remove the<action>
nodes.Automatic fix
There is a good command line tool by SupportDesk.nu at https://gist.github.com/raybogman/eec47237b8ef0d4dd0fd
It handles most missing
_isAllowed()
calls quite well but will result in broken code with obfuscated or encrypted source files, so you still should check the results manually.