October 25, 2020


Thinking Magento

Magento Patch SUPEE-6285: What Developers Need to Know

Magento Patch SUPEE-6285 is one of those patches you are going to hate.

The problem you are going to face is tracking down any module that extends Mage_Adminhtml_Controller_Action

Now a formal check has been put in place in the form of protected function _isAllowed() 

The check affects admin users who have restrictived roles. The moment a role becomes restricted the extra check comes into play.

Going to an admin menu that results in Access Denied is frustrating, but solvable.

You will need to go to your controllers directory and in Controller.php that extends Mage_Adminhtml_Controller_Action will need to have protected function _isAllowed() added in which a check to see if the session allows for access.

It's not always straight forward. Checking the session against access to the modules configuration page isn't normal practice. You normally don't want employees fiddling with the configuration of the module, so my advice is to check the session against the top of the menu tree.

For example you have a main menu for your module which has 6 sub / children menus. Set your allowed action to check the main menu only.

protected function _isAllowed()
return Mage::getSingleton('admin/session')->isAllowed('pathto/acl_mainmenu');

Placing this into your Controller.php will then give access back to those who are suffering from Access Denied for that module.

Need to find your acl mainmenu path. This will be either in adminhtml.xml or config.xml in your etc directory for the module. 

<trackingimport translate="title" module="trackingimport">

This translates to the following to add into your Controller.php

return Mage::getSingleton('admin/session')->isAllowed('sales/trackingimport');

-------------------- THEME UPDATES ------------------


If you have any themes that overwrite these files, you will need to patch them as well. These files are vulnerable to unescaped HTML injection attacks.