Magento 1.9 – How to Give Custom Access Permissions for Admin Users to an Extension

aclextensionsmagento-1.9permissionsuser-roles

I have created a admin user in magento and give certain access permissions, and i have an extension called support ticket, i gave user role access to this extension, when i logged in that particular user i am getting an error called access denied for that support ticket extension, when i login as admin it is working fine, and when i changed user role permission from custom to all, every thing is working as expected, but i need to give only this particular access permission,what can i do ?

adminhtml.xml

<?xml version="1.0"?>
<config>
    <acl>
        <resources>
            <admin>
                <children>
                    <system>
                        <children>
                            <config>
                                <children>
                                    <support_ticket_ultimate translate="title" module="supportticket">
                                        <title>Support Ticket Ultimate Section</title>
                                        <sort_order>0</sort_order>
                                    </support_ticket_ultimate>
                                </children>
                            </config>
                        </children>
                    </system>
                </children>
            </admin>
        </resources>
    </acl>
</config>

Best Answer

I want to explain a bit what @Sander Mangel said in his answer:

make sure the Adminhtml controller of the module has a _isAllowed method

Look for files like this:

/app/code/community/your/module/controllers/Adminhtml/SomeController.php

and make sure there's a method that looks like this inside every admin controller:

protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('your_module/resource_you_need');
}

A recent security patch makes it so that controllers without the _isAllowed method do not work. That answer also says that this works if the module has implemented ACL in etc/adminhtml.xml and since you say you added the appropiate permission to the user role, it sounds like yours does. In case it doesn't, just return true; from the method, but this allows access to any admin user.

Related Solutions

Magento 1 – Custom Module Access Denied (ACL Problem)

I have a hunch you have in your admin controller a method called _isAllowed.
If that's true, I think it returns the wrong thing.
It should look like this:

protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('erp/stock_management/firtal_deadstock');  
    //or at least
    //return Mage::getSingleton('admin/session')->isAllowed('erp/stock_management');  

}

Magento – Access Denied Errors After Installing SUPEE-6285

As written here:

If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of Mage_Adminhtml_Controller_Action::_isAllowed() has been changed from true to Mage::getSingleton('admin/session')->isAllowed('admin'). Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL" privilege.

The only solution is to patch the extensions and add this method to all their admin controllers:

protected function _isAllowed()
{
    return true;
}

Or if they actually have an ACL resource defined in etc/adminhtml.xml:

protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('ENTER RESOURCE IDENTIFIER HERE');
}

How to determine the resource identifier

This is how an adminhtml.xml might look like:

Mage_Setup example (acl)

Take the node names below acl/resources/admin/children, skipping following children nodes.

How to create missing resource identifiers

If there is only a <menu> definition but no <acl> definition, you can also define your own (it does not have to be within the same module, so no 3rd party files have to be modified)::

Mage_Setup example (menu)

Copy everything below menu to acl/resources/admin/children and remove the <action> nodes.

Automatic fix

There is a good command line tool by SupportDesk.nu at https://gist.github.com/raybogman/eec47237b8ef0d4dd0fd

It handles most missing _isAllowed() calls quite well but will result in broken code with obfuscated or encrypted source files, so you still should check the results manually.