Sherrie, it would be good to notify people upgrading that it could break a few 3rd party modules due to the changes to the Mage_Adminhtml_Controller_Action protected _isAllowed method. If the modules extending that class don't reimplement the method and do proper checking on the ACL like they should, they will be blocked out of that module unless they are admin users because of the default code:
protected function _isAllowed() { - return true; + return Mage::getSingleton('admin/session')->isAllowed('admin'); }
I wasn't sure where to bring up this concern, but I hope it gets to your team and informs customers of possible issues if they are using a module that isn't properly coded (which there might be a few out there.)
Thanks for the heads up @zenenjaimes!
We noticed the same issue also - quite a few thrid party plugins do not implement this which generares the "Acess Denied" message for any admin users with custom access levels.
We noticed in the latest patch (6285) that it updates this section in quite a few of the core Magento modules.
I would agree that a strong warning is needed - quite a few sites rely on these 3rd party extentions that may not have this implmented.
Snip..
i only found one ocurrence of this string, in the file
/var/www/app/code/core/Mage/Adminhtml/Controller/Action.php
when i change the line back to "return true;" the users with custom permissions can work again.
can i/should i do that or will bad things happen if i do?
Thanks for this. I applied the latest patch today and had exactly the same problem. Time to go through all our third party extensions!
Had the same problem, solved it the same way.
In 1.8.1 version.
Seach for the code :
->isAllowed('admin')
it doesn't appear in any other file .
I would not recommend reverting that fix on the base Mage_Adminhtml_Controller_Action class though. Instead, make sure to properly fix all the modules you've written and hope that the authors of 3rd party modules do the same.