As written here:
If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of Mage_Adminhtml_Controller_Action::_isAllowed()
has been changed from true
to Mage::getSingleton('admin/session')->isAllowed('admin')
. Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL" privilege.
The only solution is to patch the extensions and add this method to all their admin controllers:
protected function _isAllowed()
{
return true;
}
Or if they actually have an ACL resource defined in etc/adminhtml.xml
:
protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed('ENTER RESOURCE IDENTIFIER HERE');
}
How to determine the resource identifier
This is how an adminhtml.xml
might look like:
Take the node names below acl/resources/admin/children
, skipping following children
nodes.
How to create missing resource identifiers
If there is only a <menu>
definition but no <acl>
definition, you can also define your own (it does not have to be within the same module, so no 3rd party files have to be modified)::
Copy everything below menu
to acl/resources/admin/children
and remove the <action>
nodes.
Automatic fix
There is a good command line tool by SupportDesk.nu at https://gist.github.com/raybogman/eec47237b8ef0d4dd0fd
It handles most missing _isAllowed()
calls quite well but will result in broken code with obfuscated or encrypted source files, so you still should check the results manually.
Looks like it's a 2.4.3 issue with sessions.
Github issue: https://github.com/magento/magento2/issues/33748
After setting security sessions to 0 the issue stopped.
Stores->Configuration->Advanced->System->Max Session Size in Admin
Stores->Configuration->Advanced->System->Max Session Size in Storefront
or
bin/magento config:set system/security/max_session_size_admin 2592000
bin/magento config:set system/security/max_session_size_storefront 2592000
Not sure if this is a full solution yet. Hopefully they come up with a better solution than just setting the value to 0.
UPDATE:
Another solution is to change disable_locking in your redis session settings:
'disable_locking' => '0', to 'disable_locking' => '1'
Best Answer
I had the same strange issue, but in my case the bug appeared because of the usage such file
\view\adminhtml\layout\adminhtml_system_config_edit.xml
in my custom module:It is an old fix for the WYSIWYG editor and it worked fine before Magento 2.4.3.