The Problem
After installing security patch SUPEE-6285 for Magento, admin panel users with limited permissions now get "Access denied" message when trying to access certain tabs.
The issue arises when these two conditions are met:
1. The admin panel user has restricted permissions.
2. The user tries to access an admin panel tab that is part of a (custom) third-party extension.
So far, the problem has been reproduced for a wide range of third-party extensions by various providers. Hence, one can say the issue is not limited to a particular extension developer, nor does it consist in the method one uses to create a sub-admin Role.
The Solution
A StackExchange community member, Fabian Schmengler, explains the essence of the problem very well:
The reason is that the default return value of
Mage_Adminhtml_Controller_Action::_isAllowed()has been changed from true to
Mage::getSingleton('admin/session')->isAllowed('admin').
There are also possible solutions in the thread:
- The first one affects all admin controllers (use it with care, since it might give certain users access to tabs they shouldn't be able to access).
- The second one is recommended when you have access to access control lists (ACL) defined in
etc/adminhtml.xml.
We have tested the second solution here at Aitoc, and it worked for us.
Upcoming Fixes of Aitoc Extensions
We intend to make changes to all Aitoc extensions that will solve the Access Denied issues for limited-permissions users in the near future. This way, you won't have to fix anything on your part. We'll make an announcement once we do that. Stay tuned!
