Magento custom ACL return TRUE by default

2
votes

I have defined an acl for a tab in Manage Customer

    <acl>
        <resources>
            <all>
                <title>Allow Everything</title>
            </all>
            <admin>
                <children>
                    <customer>
                        <children>
                            <manage>
                                <children>
                                    <managepoint translate="title">
                                        <title>Manage Point</title>
                                        <sort_order>100</sort_order>
                                    </managepoint>
                                </children>
                            </manage>
                        </children>
                    </customer>
                </children>
            </admin>
        </resources>
    </acl>

Using this code 

public function canShowTab(){
    if(!Mage::getSingleton('admin/session')->isAllowed('customer/manage/managepoint'))
        return false;
    return true;
}

It is expacted that by default for all users under any user role except admin role Mage::getSingleton('admin/session')->isAllowed('customer/manage/managepoint') should return FALSE but actually it returns TRUE, but if I check then uncheck this ACL for a perticular Role then ACL starts working as expected.

Can anybody tell me why Mage::getSingleton('admin/session')->isAllowed('customer/manage/managepoint') is returning FALSE by default.

2
phpmagentomagento-1.7acl
After creating acl I'm taking care of clearing var/cache, var/session and logging IN/OUT for testig. My core_session table is also empty - Deependra Singh
while testing I found that Mage::getSingleton('admin/session')->isAllowed('customer/manage/garbage_value') return FALSE, just whatever acl I define returns TRUE - Deependra Singh

2 Answers

6
votes

Took time but after proper testing I came on conclusion on behaviour of Magento with ACL.

Mangento stores Role resources in admin_role table with permission deny/allow. So whenever we create new role then there is no entry for that resource to any role in admin_role and isAllowed will return TRUE value by default. But hereafter if we create new roles and with our custom ACL unchecked then admin_role saves entry with "deny" permission. So isAllowed will work as expacted. Thus after creating a new ACL either we have to go to every role and save these roles once or go to admin_role table and provide entries for all role_id's

0
votes

This is not a solution itself, and as many I find this to be particularly annoying.
So here is a way if you have many roles and you want to quickly add a deny you can run this SQL command

-- Add roles to DENY
INSERT INTO admin_rule
SELECT null, role_id, 'admin/path/to/your/acl', null, 0, 'G', 'deny'  FROM admin_role WHERE user_id = 0 AND role_id NOT IN (1, 20);

-- Add roles to ALLOW
INSERT INTO admin_rule
SELECT null, role_id, 'admin/path/to/your/acl', null, 0, 'G', 'allow'  FROM admin_role WHERE user_id = 0 AND role_id IN (1, 20);

This script can be sent at the same time as your code.