Magento has released a new patch, SUPEE 6285, on 7th July 2015, they have also launched Magento 1.9.2.0 with all the patches already fixed on the same day.
There was really annoying bug in Magento, thank god they have launched the patch to sort it out, but the problem is now with third party extension you are using on your website.
Basically, any third-party extension that introduces Adminhtml pages needs a new _isAllowed method in its controllers. It is needed to set up the proper access control
in the website admin area.
So any person who is trying will try to access any third-party extension area (configuration or extension-related feature in the admin area) who has limited rights (less than administrator) will get a permission error.
Solution:
Let’s take an example of our extension, you will need to go into every Admin controller located in /app/code/local/{company_name}/{extension_name}/controllers/Adminhtml and add the following to every file: (Here we have taken the example of sage pay
protected function _isAllowed() { return Mage::getSingleton('admin/session')->isAllowed( 'sales/sagepay/path_to_acl_resource' ); }
You’ll need to go into the source for any Adminhtml controllers and set up the correct ACL rules in an _isAllowed() method
/app/code/local/{company_name}/{extension_name}/etc/adminhtml.xml
Or
/app/code/local/{company_name}/{extension_name}/etc/config.xml
Here is an example of sagepay extension,
So for this case, the resource path for the dashboard would be sales/sagepay/dashboard.
This will work for all the third-party extensions you are using which are affected by SUPEE 6285.
You’ll need to go into the source for any Adminhtml controllers and set up the correct ACL rules in an _isAllowed() method for each one
Solution 2
Ask the extension developer to provide the updated package which supports SUPEE 6285.
Feel free to Contact Us any time if you need any help.
Happy Coding …