Magento released a new patch yesterday called SUPEE 6285 along with a new version of the CE (1.9.2.0):
You can find good summaries of the changes here or here.
This patch introduces some really annoying bugs though, especially regarding 3rd party modules/extensions. Basically, any third party extension that introduces Adminhtml pages needs a new _isAllowed method in it’s controllers that sets up proper access control layers for its functioning.
Any person trying to access anything to do with a third party extension that has a user role with anything less than administrator permissions will not be able to access those pages, no matter what permissions they have!!
I’ll show you how to fix those issues, particularly pertaining to the Ebizmarts Sage Pay suite.
To start:
EbizMarts has released a fix for this issue:
Sage Pay Suite Pro patch: We’ve just released v3.0.26.5 with support for @Magento’s patch SUPEE-6285, contact us to get the upgrade!
— ebizmarts (@ebizmarts) July 9, 2015
I contacted them and got the following response:
@Manticorp we'll get back to you by email, the Pro version is a private download link, the Free version will be ready at eod @magento
— ebizmarts (@ebizmarts) July 9, 2015
A fix for the pro version is available now, and a fix for the free version will be available by the end of the day.
In the meantime, if you really need to put orders through the site, you will need to give those users a role with ALL permissions:
Go to System > Permissions > Roles and make or edit a role. On the Role Resources tab, make sure the following is set:
Then assign the needed users that role.
Failing that, you will need to go into every Admin controller located in app/code/local/Ebizmarts/SagePaySuite/controllers/Adminhtml and add the following to every file:
protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed( 'sales/sagepay/path_to_acl_resource' );
}
Not ideal…
To find the ACL resource, go to app/code/local/Ebizmarts/SagePaySuite/etc/adminhtml.xml – in there you’ll find the following lines:
<acl>
<resources>
<admin>
<children>
<system>
<children>
<config>
<children>
<sagepaysuite>
<title>Ebizmarts SagePaySuite</title>
</sagepaysuite>
</children>
</config>
</children>
</system>
<sales>
<children>
<sagepay>
<title>Sage Pay</title>
<children>
<dashboard translate="title">
<title>Sage Pay Dashboard</title>
</dashboard>
... more here ...
<token_cards translate="title">
<title>Sage Pay Token Cards</title>
</token_cards>
</children>
</sagepay>
</children>
</sales>
</children>
</admin>
</resources>
</acl>
So as an example, the resource path for the dashboard would be sales/sagepay/dashboard – I think…
This should work for all other modules affected by the SUPEE 6285 bug.
You’ll need to go into the source for any Adminhtml controllers and set up the correct ACL rules in an _isAllowed() method for each one until they release an update for their module (which some, presumably, never will).
Great contribution! but not only is with the extensions, so with any custom model you require ACL.
Thanks. I did not know because my custom module did not work in admin panel
i am getting access denied on magento site. Please explain how i solve it ?
where is sales/sagepay/dashboard file and what i have to do ?
Thanks
Thank you! Works great on local, but after deploying using svn to RC testing, things in admin panel wont display (i have deleted cache by rm rf, also from admin, loged in out,,….) The interesting part is that When i handle contact form and save the entity its successfully added to database, so only admin part is not working. also the module is not displayed in ACL, while on localhost it is and fully working.
Few hours for now that i am trying to figure out where problem can be. Do someone have any ideas?