ashsmith / magento2-blog-module-tutorial

A tutorial on how create a magento 2 module from scratch, with tests.
https://www.ashsmith.io/magento2/module-from-scratch-introduction/
111 stars 59 forks source link

ACL doesn't work as intended #13

Closed pantaoran closed 8 years ago

pantaoran commented 8 years ago

When I create a backend user who isn't full admin and has some ACL restrictions (not necessarily on this blog module, can be anywhere apparently), then that user cannot view the blog posts listing grid (gets Access Denied).

This is because in class https://github.com/ashsmith/magento2-blog-module-tutorial/blob/master/Controller/Adminhtml/Post/Index.php the const field ADMIN_RESOURCE doesn't have the effect that you think it does.

In the ancestor (\Magento\Backend\App\AbstractAction) that field is used in _isAllowed() to check the ACL, but there it is called with self::ADMIN_RESOURCE which will always be Magento_Backend::admin, your child class cannot override that if I understand it correctly (it would be possible if the abstract class used static::ADMIN_RESOURCE instead.

So you need to delete your constant and instead properly override the _isAllowed() method like you do in other controllers.

ashsmith commented 8 years ago

Confirmed, I'll fix this and update the blog today.