The _isAllowed method is where you, as a Admin Panel programmer,
should place your ACL checks. As you can see, by default, this method
returns true. That means if you don’t define your own _isAllowed
method your Admin Panel features will be open to any user with an
Admin Panel account, and people using your code will have no way to
restrict access to your features. This may not be a problem, but it’s
definitely something you should be aware of.
Source: http://alanstorm.com/magento_acl_authentication
Without overriding _isAllowed (so it always return true as inherited from parent class), I tried with another account as a role that doesn't have that resource checked in the Permission -> Role.
Using that account, I cannot see that resource in the admin menu. Also when trying to access that resource by modifying the URL, I got redirected to Dashboard.
So it seems pretty secured to me, just wondering what's the reason (if any) we better override that _isAllowed function?
Best Answer
Visibility in the admin menu is not determined by the controller and its
_isAllowedmethod but directly by the ACL. If you want the menu to be always visible and not controlled by ACL, don't define it in your modulesadminhtml.xml.The redirect to dashboard if you enter the URL manually probably comes from a missing/wrong
keyparameter that prevents hotlinking of admin URL, if the following setting is enabled:Side note: Since Magento 1.9.2 (and for all previous versions that have the SUPEE-6285 security patch applied), the following is not true anymore:
The default now is, that it only returns true if the user has Full Admin Access. That means, if you don't override
_isAllowed(), your menu is not accessible for any restricted user.The idea behind this change is to fail secure instead of fail safe, i.e. prefer to err in favor of security.