How To Fix Magento Access Denied to Patch SUPEE-6285 By Tech and Dev

magento logo

Magento released a critical patch (SUPEE-6285) that solves many XSS and CSRF vulnerabilities (Official release).

However, many third-party extensions appear to be affected by a bad implementation and "Access Denied" return to all the administration roles except the Administrator.

If you can't wait for an official patch for these extensions or have some custom extensions, you can easily fix it.

Every class or controller who inherits Mage_Adminhtml_Controller_Action must the _isAllowed () method.

For example, if your controller does not use ACL, you may exceed the method as follows:

protected function _isAllowed ()
{
return true;
}

Or, if the controller uses ACL, you must find the ACL name and ignore the method using the ACL path:

protected function _isAllowed ()
{
Return Mage :: getSingleton (& # 39; admin / session & # 39;) -> isAllowed (& # 39; catalog / report_module & # 39;);
}


The ACL path can be found in the extenion's directory: etc / adminhtml.xml

For example, the example below has catalog / report_module as ACL path:


    
        
            
                
                    
                        
                            Management reports
                            15
                        
                    
                
                
                    
                        
                            Reports
                            15
                            
                                
                                  report1
                                  2
                                
                                
                                  report2
                                  3
                                
                                
                        
                    
                
                
                    
                        
                            Management reports
                            15
                        
                    
                
            
        
    

(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = “http://connect.facebook.net/en_US/all.js#xfbml=1&appId=463292747036958”;
fjs.parentNode.insertBefore(js, fjs);
}(document, ‘script’, ‘facebook-jssdk’));


this post was thanks to TECH AND DEV.

Excellent website on technology, I recommend you visit their site and see some of their articles.

THANK YOU FOR VISITING US AND CAN SUBSCRIBE TO OUR NEWSLESTER TO GET THE LATEST NEWS



ORIGINAL SOURCE LINK TECH AND DEV

Leave a Reply