Solving “Access Denied” Issue in Magento After Installing SUPEE-6285 Patch

Aitoc Team

Security patch magento access denied

The Problem

After installing security patch SUPEE-6285 for Magento, admin panel users with limited permissions now get “Access denied” message when trying to access certain tabs.

Access denied in magento

The issue arises when these two conditions are met:

1. The admin panel user has restricted permissions.
2. The user tries to access an admin panel tab that is part of a (custom) third-party extension.

So far, the problem has been reproduced for a wide range of third-party extensions by various providers. Hence, one can say the issue is not limited to a particular extension developer, nor does it consist in the method one uses to create a sub-admin Role.

The Solution

A StackExchange community member, Fabian Schmengler, explains the essence of the problem very well:

The reason is that the default return value of

Mage_Adminhtml_Controller_Action::_isAllowed()

has been changed from true to

Mage::getSingleton('admin/session')->isAllowed('admin').

There are also possible solutions in the thread:

  • The first one affects all admin controllers (use it with care, since it might give certain users access to tabs they shouldn’t be able to access).
  • The second one is recommended when you have access to access control lists (ACL) defined in etc/adminhtml.xml.

We have tested the second solution here at Aitoc, and it worked for us.

Upcoming Fixes of Aitoc Extensions

We intend to make changes to all Aitoc extensions that will solve the Access Denied issues for limited-permissions users in the near future. This way, you won’t have to fix anything on your part. We’ll make an announcement once we do that. Stay tuned!

Aitoc Team
The Aitoc team is a crew of distinguished Magento developers who have so far built dozens of top-performing Magento extensions. We do custom development for Magento eCommerce and other platforms!

Comments

comments