Magento has released a new patch, SUPEE 6285, on 7th July 2015, they have also launched Magento 1.9.2.0 with all the patches already fixed on the same day.
There was really annoying bug in Magento, thank god they have launched the patch to sort it out, but the problem is now with third party extension you are using on your website.
Basically, any third-party extension that introduces Adminhtml pages needs a new _isAllowed method in its controllers. It is needed to set up the proper access control
in the website admin area.
So any person who is trying will try to access any third-party extension area (configuration or extension-related feature in the admin area) who has limited rights (less than administrator) will get a permission error.
Solution:
Let’s take an example of our extension, you will need to go into every Admin controller located in /app/code/local/{company_name}/{extension_name}/controllers/Adminhtml and add the following to every file: (Here we have taken the example of sage pay
protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed( 'sales/sagepay/path_to_acl_resource' );
}
You’ll need to go into the source for any Adminhtml controllers and set up the correct ACL rules in an _isAllowed() method
/app/code/local/{company_name}/{extension_name}/etc/adminhtml.xml
Or
/app/code/local/{company_name}/{extension_name}/etc/config.xml
Here is an example of sagepay extension,
So for this case, the resource path for the dashboard would be sales/sagepay/dashboard.
This will work for all the third-party extensions you are using which are affected by SUPEE 6285.
You’ll need to go into the source for any Adminhtml controllers and set up the correct ACL rules in an _isAllowed() method for each one
Solution 2
Ask the extension developer to provide the updated package which supports SUPEE 6285.
Feel free to Contact Us any time if you need any help.
Happy Coding …
I’ve a limited user account, he has in Role Resources > Manage Attributes Set > ON.
But when the user wants to change a product attribute set, it got an Access denied message.
What to do in this case?
Hello @Keretlen,
Try this,
Please check the AttributeController.php at app/code/core/Mage/Adminhtml/controllers/Catalog/Product/AttributeController.php
Find protected function at last in the file and comment it out.
protected function _isAllowed(){
return Mage::getSingleton('admin/session')->isAllowed('catalog/attributes/attributes');
}
Yes it’s known for third-party extensions.
But the change attribute set for a product is a built-in feature in Magento.
So this is why I don’t understand …
Hello @keretlen,
I have updated the first comment, please check
Just realized, that the Manage Attributes Set is not a core functionality.
I am sorry asking stupid question. It’s a third party extension (Flagbit) add this functionality.
So this post is usable for me. Thank you and Sorry.
No worries Keretlen 🙂 Happy Coding 🙂 Do let us know if you need any help from ourside, we will be glad to help you out.
Hi
I want to fix this access denied problem in core, can you help me out in doing that .
Hello Gayathri,
If you are unable to solve the issue by following this post, please contact us and our technical support team will help you to look into the issue.