Skip to main content

I created a custom module, which adds a button to product edit page. When I log in to admin panel as a user, who has ‘Administrators’ role, I can use the button without any problems. But I need to create a new role with some limited rights and to add it to a new user. Then I log in to admin panel as the user I’ve just created and try to use the button, I get an error ‘Access Denied’.

I looked at the role settings and didn’t see what I needed to select for making my button to work. I got that situation because I didn’t use Magento ACL in my custom module.

Now I need to make some steps to fix it:

1. You can add ACL resources in config.xml or adminhtml.xml. I added to config.xml (If you want to add it to adminhtml.xml, you will not need <adminhtml></adminhtml> tags):


<config>
...
<adminhtml>
...
<acl>
<resources>
<admin>
<children>
<mmsold translate="title" module="mmsold">
<title>Sold</title>
<sort_order>65</sort_order>
</mmsold>
</children>
</admin>
</resources>
</acl>
</adminhtml>
</config>

2. You need to add protected method _isAllowed to your admin controller:


protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed('mmsold');
}

You can look at Mage_Adminhtml_Controller_Action and see the code in preDispatch method:


if ($this->getRequest()->isDispatched()
&& $this->getRequest()->getActionName() !== 'denied'
&& !$this->_isAllowed()) {
$this->_forward('denied');
$this->setFlag('', self::FLAG_NO_DISPATCH, true);
return $this;
}

That expains why you need the method _isAllowed.

You can make like that:


protected function _isAllowed()
{
return true;
}

That means your module will have permissions for all admin users. If you want to choose rights for admin users, it’s better to choose the first way as I used above.

After that I found setting Sold for my module in the role’s list of settings, selected it. Now the user can use the button.

Vladimir Repalo

Vladimir Repalo

Magento Developer at Mobecls, 8+ years of experience. Feel free to ask me anything about this post in the comments below.