Magento – Access Denied errors after installing SUPEE-6285

After installing the SUPEE-6285 patch on our Magento store the system is showing an "Access Denied" error when attempting to access all custom modules for users who have selective permissions (not all permissions). Screenshot below.

enter image description here





If you use restricted admin accounts, some menus of third party extensions might not work anymore for them. The reason is that the default return value of Mage_Adminhtml_Controller_Action::_isAllowed() has been changed from true to Mage::getSingleton('admin/session')->isAllowed('admin'). Extensions that do not override this method in their admin controllers because they don't use the ACL, now need the "ALL"privilege.

The only solution is to patch the extensions and add this method to all their admin controllers:

protected function _isAllowed()
    return true;

Or if they actually have an ACL resource defined in etc/adminhtml.xml:

protected function _isAllowed()
    return Mage::getSingleton('admin/session')->isAllowed('ENTER RESOURCE IDENTIFIER HERE');

How to determine the resource identifier

This is how an adminhtml.xml might look like:

Mage_Setup example (acl)

Take the node names below acl/resources/admin/children, skipping following childrennodes.

How to create missing resource identifiers

If there is only a <menu> definition but no <acl> definition, you can also define your own (it does not have to be within the same module, so no 3rd party files have to be modified)::

Mage_Setup example (menu)

Copy everything below menu to acl/resources/admin/children and remove the <action>nodes.


No comments yet.

Leave a Reply