Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

New upgrade could break 3rd party modules if they don't check on ACL

‎07-07-2015 05:59 PM
‎07-07-2015 05:59 PM

New upgrade could break 3rd party modules if they don't check on ACL

Sherrie, it would be good to notify people upgrading that it could break a few 3rd party modules due to the changes to the Mage_Adminhtml_Controller_Action protected _isAllowed method. If the modules extending that class don't reimplement the method  and do proper checking on the ACL like they should, they will be blocked out of that module unless they are admin users because of the default code:

 

     protected function _isAllowed()
     {
-        return true;
+        return Mage::getSingleton('admin/session')->isAllowed('admin');
     }

I wasn't sure where to bring up this concern, but I hope it gets to your team and informs customers of possible issues if they are using a module that isn't properly coded (which there might be a few out there.)

8 REPLIES 8
‎07-07-2015 06:01 PM
‎07-07-2015 06:01 PM

Re: SUPEE-6285 - 1.4.1 / 1.5

Thanks for the heads up @zenenjaimes!

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical
0 Kudos
‎07-08-2015 12:59 AM
‎07-08-2015 12:59 AM

Re: New upgrade could break 3rd party modules if they don't check on ACL

We noticed the same issue also - quite a few thrid party plugins do not implement this which generares the "Acess Denied"  message for any admin users with custom access levels.

 

We noticed in the latest patch (6285) that it updates this section in quite a few of the core Magento modules. 

 

I would agree that a strong warning is needed - quite a few sites rely on these 3rd party extentions that may not have this implmented. 

0 Kudos
‎07-08-2015 02:54 AM
‎07-08-2015 02:54 AM

Re: New upgrade could break 3rd party modules if they don't check on ACL

Snip..

0 Kudos
‎07-08-2015 04:46 AM
‎07-08-2015 04:46 AM

Re: New upgrade could break 3rd party modules if they don't check on ACL

i only found one ocurrence of this string, in the file

/var/www/app/code/core/Mage/Adminhtml/Controller/Action.php

 

when i change the line back to "return true;" the users with custom permissions can work again.

 

can i/should i do that or will bad things happen if i do?

 

‎07-08-2015 07:36 AM
‎07-08-2015 07:36 AM

Re: New upgrade could break 3rd party modules if they don't check on ACL

Thanks for this.  I applied the latest patch today and had exactly the same problem.  Time to go through all our third party extensions!

Richard Cleverley
Magepim Ecommerce Services
0 Kudos
‎07-08-2015 07:59 AM
‎07-08-2015 07:59 AM

Re: New upgrade could break 3rd party modules if they don't check on ACL

For more info see: http://magento.stackexchange.com/questions/73646/access-denied-errors-after-installing-supee-6285

0 Kudos
‎07-08-2015 12:05 PM
‎07-08-2015 12:05 PM

Re: New upgrade could break 3rd party modules if they don't check on ACL

Had the same problem, solved it the same way.

In 1.8.1 version.
Seach for the code :

->isAllowed('admin')

it doesn't appear in any other file Man Frustrated.

0 Kudos
‎07-08-2015 02:02 PM
‎07-08-2015 02:02 PM

Re: New upgrade could break 3rd party modules if they don't check on ACL

I would not recommend reverting that fix on the base Mage_Adminhtml_Controller_Action class though. Instead, make sure to properly fix all the modules you've written and hope that the authors of 3rd party modules do the same.