Verify Magento User Access to Admin Functionality

When working with Magento, there will inevitably come a time where you need to manually check to see if the currently logged-in user has access to a specific piece of functionality as defined in the ACL settings. Personally, I have come across this situation more often when creating my own custom modules and their custom permissions, but they can be used to check the permissions of any module.

As is so often the case, Alan Storm has documented the exact solution for this scenario. Lets say that your ACL configuration is setup as it is below…

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <acl>
        <resources>
            <admin>
                <children>
                    <permission1>
                        <title>Permission 1</title>
                        <children>
                            <permission1a>
                                <title>Permission 1 a</title>
                                <children>
                                    <permission1a1>
                                        <title>Permission 1 a 1</title>
                                    </permission1a1>
                                </children>
                            </permission1a>
                        </children>
                    </permission1>
                </children>
            </admin>
        </resources>
    </acl>
</config>

If you want to check to see whether the current user has been granted permission1a1, you would write something like the following, which returns a true or false values.

$isAllowed = Mage::getSingleton('admin/session')->isAllowed('permission1/permission1a/permission1a1');

As you can see, you have to put the XML node names in the full path for the isAllowed function call to work properly. If you don’t need to check the leaf node permissions, and only the root node, you could do the following instead.

$isAllowed = Mage::getSingleton('admin/session')->isAllowed('permission1');

Amazingly, this is one of those scenarios where Magento makes things easy in a non-confusing manner.

Tags:

Related Posts

Mar 28, 2014
2 minutes

Launching a Redesign of a Website

Over the last few months, I have been working on a major redesign of an existing Magento website. One of the major goals of the redesign was to take a legacy desktop-only website and upgrade it to take full advantage of Responsive Web Design so that customers could equally utilize mobile and desktop devices to browse and purchase products.

For a site that had seen only minor updates over the last 5 years, this redesign represented a major change visually and navigationally from the previous site. Based on the history of the site, the development team was optimistic that the redesign would be well-received, but were suprised by a few things that came up in the feedback we saw.

#magento #responsive-web-design
Read More
Mar 16, 2015
2 minutes

Google Code Shutting Down

Google just recently announced that they are going to begin the process of shutting down their Google Code project hosting service. In the blog post announcing that they were shuttering the service, they let it slip that even Google had quit using Google Code for their project hosting, instead transitioning thousands of their projects to GitHub. Google seemingly blames the fact that GitHub and BitBucket handle project hosting better than Google does as the main reason that they are discontinuing the service.

#javascript #python #web-development
Read More
Jul 29, 2014
2 minutes

Hackers Exploiting Gullible Magento Site Administrators

Nexcess recently released a report of a Recent Exploit using Fake Magento Extensions was able to skim credit card information from affected Magento websites. While it seems that some of the stores were breached by correctly guessing simple admin usernames and passwords, others seemed to be the result of site administrators installing Magento Extensions that included backdoors that gave the hackers remote access to the website. Once the backdoor was installed, the hackers went on to modify core Magento files, ensuring that when a credit card order was placed, the credit card information would be saved to a text file that was hidden with an image file name extension .jpg, .gif, .bmp and saved in the /media directory, allowing the hackers, and anyone else on the internet to download the credit card information.

#magento #security
Read More