Topic 6 – Part 4: Magento ACL Permissions

As you may concern, Magento uses an Access Control Lists (ACL) to authorize and control user access within the system with the purpose of effectively managing the site. The tutorial presented today will demonstrate the ACL in details and guide you how to setup and authorize a backend menu.

1. Define the ACL

According to www.techterms.com: ACL stands for “Access Control List”. An ACL is a list of user permissions for a file, folder, or other object. It defines what users and groups can access the object and what operations they can perform. These operations typically include read, write, and execute. For example, if an ACL specifies read-only access for a specific user of a file, that user will be able open the file, but cannot write to it or run the file.

In Magento, ACL is a list of user permissions for a resource path (link to menu entry or action), allowing users to access a resource or not. In ACL, there are some basic terms and elements as the followings:

• User: the entity that has an authority to use the system. The user that we mention in Magento is the backend user.
• Role: the role of the user when logging in to the system. In Magento, a user has only a role.
• Rule: the rule set of user and role. It defines user’s permission or role’s permission to access the resource.
• Assert: the condition to active an item in ACL. It is used for a special control when checking permission by ACL.

2. Magento stores ACL in the database

Magento stores the role in the table admin_role:

• parent_id: the parent role of the current role
• role_type: the user role or the group role

The important table of ACL is the admin_rule table which stores the list of permissions of a user or a role with the resource:

• role_id: the id of the role to apply in the ACL
• resource_id: the resource to access the system
• permission: permission for a role to access the resource

3. Create a menu and setup permission for it

In Magento, you can easily add the backend menu item and ACL resource for that menu to your extension by adding the following code into the adminhtml.xml file:

<?xml version="1.0"?>
<config>
<menu>
<socialrecommend module="socialrecommend" translate="title">
<title>Recommend</title>
<sort_order>71</sort_order>
<children>
<settings module="socialrecommend" translate="title">
<title>Settings</title>
<sort_order>1000</sort_order>
<action>adminhtml/system_config/edit/section/socialrecommend</action>
</settings>
</children>
</socialrecommend>
</menu>
<acl>
<resources>
<admin>
<children>
<system>
<children>
<config>
<children>
<socialrecommend module="socialrecommend" translate="title">
<title>Social Recommend</title>
<sort_order>71</sort_order>
</socialrecommend>
</children>
</config>
</children>
</system>
<socialrecommend module="socialrecommend" translate="title">
<title>Recommend</title>
<sort_order>71</sort_order>
<children>
<settings module="socialrecommend" translate="title">
<title>Settings</title>
<sort_order>1000</sort_order>
</settings>
</children>
</socialrecommend>
</children>
</admin>
</resources>
</acl>
</config>

• <menu> tag: defines menu  entry in the backend

• <title>: the menu title
• <sort_order>: the order to show menu
• <action>: the link of the menu

• <acl> tag: defines the ACL entry to access to backend menu above

• <title>: the title to show in ACL’s resource list
• <sort_order>: the order to show in ACL’s resource list

Now, when adding a role to your system, you can see the ACL item in the list and select the checkbox corresponding with the resource that allows the role to access:

When the user logs in to the backend, the backend menu will be shown depending on the user’s permission. If the user runs an action request, the system will check the user’s permission before running an action by function _isAllow() of Action class. For example:

/**
* Check is allow modify system configuration
*
* @return bool
*/
protected function _isAllowed()
{
return Mage::getSingleton('admin/session')->isAllowed('system/config');
}

Hope that all information above will be helpful to you. Have fun and nice code 😉

Resource for your online store : Magento plugins and Magento 2 plugins