cancel
Showing results for 
Search instead for 
Did you mean: 

New upgrade could break 3rd party modules if they don't check on ACL

New upgrade could break 3rd party modules if they don't check on ACL

Sherrie, it would be good to notify people upgrading that it could break a few 3rd party modules due to the changes to the Mage_Adminhtml_Controller_Action protected _isAllowed method. If the modules extending that class don't reimplement the method  and do proper checking on the ACL like they should, they will be blocked out of that module unless they are admin users because of the default code:

 

     protected function _isAllowed()
     {
-        return true;
+        return Mage::getSingleton('admin/session')->isAllowed('admin');
     }

I wasn't sure where to bring up this concern, but I hope it gets to your team and informs customers of possible issues if they are using a module that isn't properly coded (which there might be a few out there.)

8 REPLIES 8

Re: SUPEE-6285 - 1.4.1 / 1.5

Thanks for the heads up @zenenjaimes!

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical

Re: New upgrade could break 3rd party modules if they don't check on ACL

We noticed the same issue also - quite a few thrid party plugins do not implement this which generares the "Acess Denied"  message for any admin users with custom access levels.

 

We noticed in the latest patch (6285) that it updates this section in quite a few of the core Magento modules. 

 

I would agree that a strong warning is needed - quite a few sites rely on these 3rd party extentions that may not have this implmented. 

Re: New upgrade could break 3rd party modules if they don't check on ACL

Snip..

Re: New upgrade could break 3rd party modules if they don't check on ACL

i only found one ocurrence of this string, in the file

/var/www/app/code/core/Mage/Adminhtml/Controller/Action.php

 

when i change the line back to "return true;" the users with custom permissions can work again.

 

can i/should i do that or will bad things happen if i do?

 

Re: New upgrade could break 3rd party modules if they don't check on ACL

Thanks for this.  I applied the latest patch today and had exactly the same problem.  Time to go through all our third party extensions!

Richard Cleverley
Magepim Ecommerce Services

Re: New upgrade could break 3rd party modules if they don't check on ACL

Re: New upgrade could break 3rd party modules if they don't check on ACL

Had the same problem, solved it the same way.

In 1.8.1 version.
Seach for the code :

->isAllowed('admin')

it doesn't appear in any other file Man Frustrated.

Re: New upgrade could break 3rd party modules if they don't check on ACL

I would not recommend reverting that fix on the base Mage_Adminhtml_Controller_Action class though. Instead, make sure to properly fix all the modules you've written and hope that the authors of 3rd party modules do the same.