Magento – ACL Role Resource Default

acladminadminhtmlpermissions

Let's say we add some new resources to the ACL like so:

<acl>
    <resources>
        <admin>
            <children>
                <catalog>
                    <children>
                        <search>
                            <children>
                                <import translate="title">
                                    <title>Import</title>
                                </import>
                                <export translate="title">
                                    <title>Export</title>
                                </export>
                            </children>
                        </search>
                    </children>
                </catalog>
            </children>
        </admin>
    </resources>
</acl>

We then add the following around a button that appears in the SearchTerm grid:

if (Mage::getSingleton('admin/session')->isAllowed('catalog/search/import')) {
    $this->_addButton('import', array(
        'label'   => 'Import Search Terms',
        'onclick' => "setLocation('".$this->getUrl('*/*/import')."')"
    ));
}

If I then log in as a non-admin user, I would really have thought that the expected behavior would be no button visible, since I haven't explicitly given the users role the resource. As it turns out though, the default return value of isAllowed appears to be true. To compound matters, when you go and view the resources for that role, the checkbox will not appear ticked.

I can resolve the 'issue' by clicking through each role and clicking save, but this is a PITA to do especially across live / stage / dev environments. Is there any easy way to auto deny this resource from each role via code? I don't mind adding a migration script if required. I had a quick look at what happens in the same action. Presumably, I could do this by loading all roles, looping through them and performing similar logic to Mage_Admin_Model_Resource_Rules::saveRel inserting the rows into the table. But this code appears to assume that all resources are posted, which would mean in order to invoke it directly I'd need to work out what format I need to pass it data in and possibly load existing resource too.

Best Answer

I was not able to recreate the problem on 1.13.1.0. I used your exact code except I used it to change title of the page conditionally. I first tested this with a user logged in with all permissions and the isAllowed method returned true. I then created another role which did not have this checkbox selected but had all other boxes selected and then I logged out and logged back in with a user attached to this new role and isAllowed was returning false. You might try logging out and logging back in. If this still is not working, try clearing out your cache and sessions and logging back in.

Related Topic