Skip to main content

I created a custom module, which adds a button to product edit page. When I log in to admin panel as a user, who has ‘Administrators’ role, I can use the button without any problems. But I need to create a new role with some limited rights and to add it to a new user. Then I log in to admin panel as the user I’ve just created and try to use the button, I get an error ‘Access Denied’.

I looked at the role settings and didn’t see what I needed to select for making my button to work. I got that situation because I didn’t use Magento ACL in my custom module.

Now I need to make some steps to fix it:

1. You can add ACL resources in config.xml or adminhtml.xml. I added to config.xml (If you want to add it to adminhtml.xml, you will not need <adminhtml></adminhtml> tags):

<mmsold translate="title" module="mmsold">

2. You need to add protected method _isAllowed to your admin controller:

protected function _isAllowed()
return Mage::getSingleton('admin/session')->isAllowed('mmsold');

You can look at Mage_Adminhtml_Controller_Action and see the code in preDispatch method:

if ($this->getRequest()->isDispatched()
&& $this->getRequest()->getActionName() !== 'denied'
&& !$this->_isAllowed()) {
$this->setFlag('', self::FLAG_NO_DISPATCH, true);
return $this;

That expains why you need the method _isAllowed.

You can make like that:

protected function _isAllowed()
return true;

That means your module will have permissions for all admin users. If you want to choose rights for admin users, it’s better to choose the first way as I used above.

After that I found setting Sold for my module in the role’s list of settings, selected it. Now the user can use the button.

Vladimir Repalo

Vladimir Repalo

Magento Developer at Mobecls, 8+ years of experience. Feel free to ask me anything about this post in the comments below.