Implement ACL (Access-Control-List) for own Magento modules

Implement ACL in Magento
©Yuri Samoilov via Flickr (https://flic.kr/p/mjhubJ)

The following snippets show how to implement ACL (Access-Control-List) for system configuration fields and main menu entries of your own modules.  It is also shown, how to check the ACL’s in the PHP code of your Module.

Implement ACL – Access control for system configuration

If you had configured a system configuration (System→Configuration) like this:

<?xml version="1.0" encoding="utf-8"?>
<config>
    <sections>
        <asksheldon_friendsandfamily translate="label" module="asksheldon_friendsandfamily">
            <label>Friends &amp; Family</label>
            <tab>customer</tab>
            <frontend_type>text</frontend_type>
            <sort_order>1</sort_order>
            <show_in_default>1</show_in_default>
            <show_in_website>1</show_in_website>  
            <show_in_store>0</show_in_store> 
            <groups>
                <general translate="label" module="asksheldon_friendsandfamily">
                    <label>General</label>
                    <frontend_type>text</frontend_type>
                    <sort_order>1</sort_order>
                    <show_in_default>1</show_in_default>
                    <show_in_website>1</show_in_website>
                    <show_in_store>0</show_in_store>                    
                    <fields>
                        <enabled translate="label">
                            <label>Enable</label>
                            <frontend_type>select</frontend_type>
                            <source_model>adminhtml/system_config_source_yesno</source_model>
                            <sort_order>10</sort_order>
                            <show_in_default>1</show_in_default>
                            <show_in_website>1</show_in_website>
                            <show_in_store>0</show_in_store>
                        </enabled>
                        <customer_groups translate="label comment">
                            <label>Customer groups</label>
                            <frontend_type>multiselect</frontend_type>
                            <source_model>adminhtml/system_config_source_customer_group</source_model>
                            <sort_order>11</sort_order>
                            <show_in_default>1</show_in_default>
                            <show_in_website>1</show_in_website>
                            <show_in_store>0</show_in_store>
                            <comment>Groups for Friends &amp; Family discounts.</comment>
                        </customer_groups>                           
                    </fields>
                 </general> 
                 <welcomeemail>
                    <label>Editmail</label>
                    <frontend_type>text</frontend_type>
                    <sort_order>2</sort_order>
                    <show_in_default>1</show_in_default>
                    <show_in_website>1</show_in_website>
                    <show_in_store>0</show_in_store>  
                    <fields>                         
                         <identity translate="label">
                            <label>Welcomemail Sender</label>
                            <frontend_type>select</frontend_type>
                            <source_model>adminhtml/system_config_source_email_identity</source_model>
                            <sort_order>2</sort_order>
                            <show_in_default>1</show_in_default>
                            <show_in_website>1</show_in_website>
                            <show_in_store>0</show_in_store>
                        </identity>
                        <template translate="label">
                            <label>Welcomemail-Template</label>
                            <frontend_type>select</frontend_type>
                            <source_model>adminhtml/system_config_source_email_template</source_model>
                            <sort_order>3</sort_order>
                            <show_in_default>1</show_in_default>
                            <show_in_website>1</show_in_website>
                            <show_in_store>0</show_in_store>
                        </template>
 
                        <copy_to translate="label comment">
                            <label>Send Welcome Copy To</label>
                            <frontend_type>text</frontend_type>
                            <sort_order>5</sort_order>
                            <show_in_default>1</show_in_default>
                            <show_in_website>1</show_in_website>
                            <show_in_store>0</show_in_store>
                            <comment>Comma-separated.</comment>
                        </copy_to>
                        <copy_method translate="label">
                            <label>Send Welcome Copy Method</label>
                            <frontend_type>select</frontend_type>
                            <source_model>adminhtml/system_config_source_email_method</source_model>
                            <sort_order>6</sort_order>
                            <show_in_default>1</show_in_default>
                            <show_in_website>1</show_in_website>
                            <show_in_store>0</show_in_store>
                        </copy_method>
                    </fields>
                 </welcomeemail>            
             </groups>
        </asksheldon_friendsandfamily>
    </sections>      
</config>

… you can define ACLs like that:

<?xml version="1.0" encoding="utf-8"?>
<config>
    <acl>
        <resources>
            <admin>
                <children>
                    <system>
                        <children>
                            <config>
                                <children>
                                    <asksheldon_friendsandfamily translate="title" module="asksheldon_friendsandfamily">
                                        <title>Friends &amp; Family</title>
                                    </asksheldon_friendsandfamily>
                                </children>
                            </config>
                        </children>
                    </system>
                </children>
            </admin>
        </resources>
    </acl>
</config>

You can use more <children> <BEZEICHNER> level to refine the access possibilities (f.e.: only access to general tab).

Implement ACL – Access control for menu entries

For main menu entries as described here you have to configure the right ACLs as follows:

<?xml version="1.0"?>
<config>  
    <acl>
    <resources>
                <all>
                <title>Allow Everything</title>
            </all>
            <admin>
                <children>
                    <asksheldon_abo>
                        <children>
                            <asksheldon_abomanage>
                                <title>Subscription</title>
                                <sort_order>10</sort_order>
                            </asksheldon_abomanage>
                            <asksheldon_aboexport>
                                <title>Subscription EAN Export</title>
                                    <sort_order>20</sort_order>
                            </asksheldon_aboexport>
                            <asksheldon_aboguestexport>
                                <title>Subscription Guest Export</title>
                                <sort_order>30</sort_order>
                            </asksheldon_aboguestexport>
                        </children>
                    </asksheldon_abo>                
                </children>
            </admin>          
    </resources>
    </acl>
</config>

Implement ACL – Check ACLs

If you have the following ACL (not necessarily for system configuration oder menus → can also be for its own):

<config>
    <acl>
        <resources>
            <admin>
                <children>                    
                    <asksheldon_milesandmore translate="title" module="asksheldon_milesandmore">
                        <title>Miles &amp; More</title>
                        <children>
                            <allow_view>
                                <title>Backenduser can view the customers cardnumber</title>
                            </allow_view>
                            <allow_edit>
                                <title>Backenduser can view and edit the customers cardnumber</title>
                            </allow_edit>
                        </children>
                    </asksheldon_milesandmore>
                </children>
            </admin>
        </resources>
    </acl>
</config>

… you can check if the customer is allowed to access that interface by:

<?php
$bIsAllowed = Mage::getSingleton('admin/session')->isAllowed('admin/asksheldon_milesandmore/allow_view');//path/in/acl/tree
?>

Implement ACL – Own Controller Actions

Since version “I have no idea 😉 ” you have to implement a _isAllowed – function in your controller to grant restricted access for a certain user role.

For example:
if you have a ACL and menu definition like that:

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <menu>
        <sheldon_wysiwyg module="sheldon_wysiwyg">
            <title>WYSIWYG</title>
            <sort_order>88</sort_order>
            <children>
                <test module="sheldon_wysiwyg" translate="title">
                    <title>Test</title>
                    <sort_order>0</sort_order>
                    <action>adminhtml/sheldonwysiwyg_data</action>
                </test>
                <template_js module="sheldon_wysiwyg" translate="title">
                    <title>Template</title>
                    <sort_order>1</sort_order>
                    <action>adminhtml/sheldonwysiwyg_data/template</action>
                </template_js>
            </children>
        </sheldon_wysiwyg>
    </menu>
    <acl>
        <resources>
            <admin>
                <children>
                    <sheldon_wysiwyg module="sheldon_wysiwyg">
                        <title>WYSIWYG</title>
                        <sort_order>88</sort_order>
                        <children>
                            <test module="sheldon_wysiwyg" translate="title">
                                <title>Test</title>
                                <sort_order>0</sort_order>
                                <action>adminhtml/sheldonwysiwyg_data</action>
                            </test>
                            <template_js module="sheldon_wysiwyg" translate="title">
                                <title>Template</title>
                                <sort_order>1</sort_order>
                                <action>adminhtml/sheldonwysiwyg_data/template</action>
                            </template_js>
                        </children>
                    </sheldon_wysiwyg>
                </children>
            </admin>
        </resources>
    </acl>
</config>

you have to implement:

<?php
protected function _isAllowed()
{
    return Mage::getSingleton('admin/session')->isAllowed('admin/sheldon_wysiwyg');
}

in the corresponding controller (Sheldon_Wysiwyg_Adminhtml_Sheldonwysiwyg_DataController in this case).

One thought on “Implement ACL (Access-Control-List) for own Magento modules

Leave a Reply

Your email address will not be published.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.