Friday, July 10, 2015

Fix Magento Access Denied After Patch SUPEE-6285

magento logo


Magento has released a critical patch (SUPEE-6285) that fixes many XSS and CSRF vulnerabilities (Official Release).

However, it seems many 3rd party extensions were affected by this due to bad implementation, and are returning "Access Denied" to all the admin roles except the Administrator.
If you can't wait for an official patch for these extensions or have some custom made extensions, you can fix this easily.

Every class or controller that inherit Mage_Adminhtml_Controller_Action must override the _isAllowed() method.

For example, if your controller don't use ACL, you can override the method as follows:
protected function _isAllowed()
{
    return true;
}

Or if the controller is using ACL, you will have to find the ACL name and override the method using the ACL path:
protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('catalog/report_module');
}


The ACL path can be found in the extenion's directory: etc/adminhtml.xml
For example, the below example has catalog/report_module as ACL path:
<acl>
    <resources>
        <admin>
            <children>
                <catalog>
                    <children>
                        <report_module translate="title" module="report_module">
                            <title>Manage Reports</title>
                            <sort_order>15</sort_order>
                        </report_module>
                    </children>
                </catalog>
                <report>
                    <children>
                        <report_module translate="title" module="report_module">
                            <title>Reports</title>
                            <sort_order>15</sort_order>
                            <children>
                                <first_page module="report_module">
                                  <title>Report1</title>
                                  <sort_order>2</sort_order>
                                </first_page>
                                <second_page module="report_module">
                                  <title>Report2</title>
                                  <sort_order>3</sort_order>
                                </second_page>
                            </children>    
                        </report_module>
                    </children>
                </report>
                <system>
                    <children>
                        <report_module translate="title" module="report_module">
                            <title>Manage Reports</title>
                            <sort_order>15</sort_order>
                        </report_module>
                    </children>
                </system>
            </children>
        </admin>
    </resources>
</acl>