Backend ACL rules

Many of you have used adminhtml.xml file to define menu items for a module in Magento backend. In this article we would like to highlight ACL features which allow us to fine-grant specific actions to be used by a privileged roles.

There is System → Permissions → Roles backend section, but how do we add available resources or actions from our module you might ask? This is done from <acl><resources> node of aforementioned adminhtml.xml. Here you can add the resources for general actions resources, menu items resources and system configuration (System → Configuration) resources as well. Make sure you define those for all menu items you have in the module, even if you have only one role currently, many merchants have several staff roles doing store management and obviously they want to configure permissions according to the requirements.


Let’s have a look at app/code/core/Mage/Sales/etc/adminhtml.xml file as a comprehensive example how could be ACL resources defined, as it has all three kinds of resources: different actions that can be performed on the order, backend’s main menu items and module configuration items.


Now, you may wonder how do we perform the check whether an admin user has access to specific resource. This is done by Mage_Adminhtml_Controller_Action::_isAllowed() method which by default returns true. As every backend (or adminhtml) controller extends this class, we can override this method and implement the check. Permissions check logic can be performed using following code:

return Mage::getSingleton('admin/session')->isAllowed($aclResource);

where $aclResouce is xpath defined in adminhtml.xml, for example sales/order/actions/comment. Using the same technique you can, for example, hide buttons or grid actions for which current user doesn’t have access to.


We hope this article gave you useful insight on how to build flexible modules that can be successfully used in multi-role environment. Stay tuned for more articles from Atwix team!