Access Denied after applying Magento SUPEE 6285

Question

I recently applied Magento patch SUPEE-6285 and now I am having some permissions issues for non-admin users. Certain sections of the admin were accessible to limited users that are no longer accessible. If I look at the role resources for the role I see that the section is enabled and, when logged into that role I see the menu option, but if I pick it I get Access Denied. The 3 extensions I know of so far that are giving me trouble are

Commerce Themes - Guess To Registered Customer
- They add "Manage Guest To Reg" under the "Customers" menu
Adjustware - Abandoned Cart Alerts
- They add menu items under Newsletter
Adjustware - Review Reminders
- They add menu items under Newsletter

I'm sure there are other extensions with similar problems, and it's likely due to how they implemented their admin pages, but I haven't been able to figure it out yet. Anyone have a fix?

UPDATE I tried changing how the router was defined, but it didn't help.

WAS:

<admin>
    <routers>
        <GuestToReg>
            <use>admin</use>
            <args>
                <module>CommerceThemes_GuestToReg</module>
                <frontName>GuestToReg</frontName>
            </args>
        </GuestToReg>
    </routers>
</admin>

CHANGED TO:

<admin>
    <routers>
        <adminhtml>
            <args>
                <modules>
                    <GuestToReg after="Mage_Adminhtml">CommerceThemes_GuestToReg_Adminhtml</GuestToReg>
                </modules>
            </args>
        </adminhtml>
    </routers>
</admin>

Also answered over in Magento.StackExchange, See for additional info => http://magento.stackexchange.com/questions/73646/access-denied-errors-after-installing-supee-6285 and for this and other changes, http://magento.stackexchange.com/questions/73481/supee-6285-patch-what-has-been-changed/73631#73631 — Fiasco Labs, Jul 09 '15 at 04:34
Thanks, @FiascoLabs, I wasn't able to find those before posting. — Mageician, Jul 09 '15 at 15:31
You're welcome! Had to apply the fix to one module used by order entry so its mass action would not pop the "Access Denied" message and came across those first so I thought I'd link over to here so there would be more info. — Fiasco Labs, Jul 10 '15 at 02:05

score 3 · Accepted Answer · answered Jul 09 '15 at 00:45

Thanks to Ron V I was able to find the full answer that enables the menu only for those with permission.

Given the following adminhtml.xml file:

<config>
    <acl>
        <resources>
            <admin>
                <children>
                    <path_to>
                        <children>
                            <acl_resource>
                                <title>My ACL Resource</title>
                            </acl_resource>
                        </children>
                    </path_to>
                </children>
            </admin>
        </resources>
    </acl>
</config>

You can extract the resource path to pass to isAllowed() to determine if this menu should be shown to this user.

protected function _isAllowed(){
    return Mage::getSingleton('admin/session')->isAllowed('path_to/acl_resource');
}

score 1 · Answer 2 · answered Jul 10 '15 at 13:05

You can see a complete explication and resolution of this problem in the next link: Solution to the problem of permissions for non-administrators in modules after applying the patch 6285_CE_1.9.1.1 or upgrade to Magento 1.9.2.

When we update / patch our Magento installation, it applies a small change in the way Magento behaves regarding modules. Previously, Magento responded by default as true to _isAllowed() method of the controller module if that function does not exist. In version 1.9.2 or when we patch a previous version, it no longer behaves this way, so users without administrator access have not access to the installed modules.

To recover access to the module by non-administrators, we simply add the function to the corresponding controller.

protected function _isAllowed() 
{ 
return true; 
}

That's a good explanation of the problem, but once again a dangerous solution. See my accepted answer above. It's the same basic idea, but you should use the ACL path to allow access only to users who SHOULD have access. By returning true regardless you open it up to anyone and effectively nullify the security update. — Mageician, Jul 13 '15 at 13:28

score 1 · Answer 3 · answered Sep 02 '15 at 16:52

BrianVPS gets at the gist of the 'best practices' answer, but that exact snippet, of course, needs to be modified for each module and/or controller based on the intended use.

Some modules do not have a specific permission for their page, in which case - barring adding a new permission path to the acl yourself, your only option is to return true.

However, if an acl permission path does exist and is in use (which they often are to determine if the page is drawn in the admin menu bar), you have to locate that permission path and replace the example string in the isAllowed function.

For example, in the CommerceThemes/GuestToReg code, under etc/adminhtml.xml you can find the defined acl paths.

<acl>
    <resources>
        <admin>
            <children>
                <customer>
                    <children>
                        <guesttoreg_adminform>

Based on these paths, the proper permission to set access to the page should be:

protected function _isAllowed() {
    return Mage::getSingleton('admin/session')->isAllowed('customer/guesttoreg_adminform');
}

placed in the admin controller file: app/code/local/CommerceThemes/GuestToReg/controllers/Adminhtml/GuestToRegFormController.php

score 0 · Answer 4 · answered Jul 08 '15 at 22:37

0

I just put the following code in the controller of the extension causing the problem:

protected function _isAllowed(){ 
  return true; 
}

The update requires extensions with scripts in Adminhtml to be more secure.

answered Jul 08 '15 at 22:37

Ron V

13
4

1

Thanks @ron-v! That worked to enable the menu, however it's just a band-aid. It enables the menu for everyone, even if they aren't granted permission. I did a bit of searching, and to enable only for ones with permission, `return Mage::getSingleton('admin/session')->isAllowed('path_to/acl_resource');` – Mageician Jul 09 '15 at 00:35
If there's not an adminhtml.xml, is there another way to get the acl resource? – Ron V Jul 09 '15 at 20:23
The `adminhtml.xml` is newer Magento (1.5+ I think?). The ACL resources used to be in `config.xml`. When it's in `config.xml` you just have to place it in the `...` block. A good resource for this is [Alan Storm's Blog](http://alanstorm.com/magento_acl_authentication). – Mageician Jul 10 '15 at 03:10

Access Denied after applying Magento SUPEE 6285

4 Answers4