







Magento released a new patch yesterday called SUPEE 6285 along with a new version of the CE (1.9.2.0):

You can find good summaries of the changes here or here.

This patch introduces some really annoying bugs though, especially regarding 3rd party modules/extensions. Basically, any third party extension that introduces Adminhtml pages needs a new _isAllowed method in it’s controllers that sets up proper access control layers for its functioning.

Any person trying to access anything to do with a third party extension that has a user role with anything less than administrator permissions will not be able to access those pages, no matter what permissions they have!!

I’ll show you how to fix those issues, particularly pertaining to the Ebizmarts Sage Pay suite.

To start:

EbizMarts has released a fix for this issue:

Sage Pay Suite Pro patch: We’ve just released v3.0.26.5 with support for @Magento’s patch SUPEE-6285, contact us to get the upgrade! — ebizmarts (@ebizmarts) July 9, 2015

I contacted them and got the following response:

@Manticorp we'll get back to you by email, the Pro version is a private download link, the Free version will be ready at eod @magento — ebizmarts (@ebizmarts) July 9, 2015

A fix for the pro version is available now, and a fix for the free version will be available by the end of the day.

In the meantime, if you really need to put orders through the site, you will need to give those users a role with ALL permissions:

Go to System > Permissions > Roles and make or edit a role. On the Role Resources tab, make sure the following is set:

Then assign the needed users that role.

Failing that, you will need to go into every Admin controller located in app/code/local/Ebizmarts/SagePaySuite/controllers/Adminhtml and add the following to every file:

protected function _isAllowed() { return Mage::getSingleton('admin/session')->isAllowed( 'sales/sagepay/path_to_acl_resource' ); }

Not ideal…

To find the ACL resource, go to app/code/local/Ebizmarts/SagePaySuite/etc/adminhtml.xml – in there you’ll find the following lines:

<acl> <resources> <admin> <children> <system> <children> <config> <children> <sagepaysuite> <title>Ebizmarts SagePaySuite</title> </sagepaysuite> </children> </config> </children> </system> <sales> <children> <sagepay> <title>Sage Pay</title> <children> <dashboard translate="title"> <title>Sage Pay Dashboard</title> </dashboard> ... more here ... <token_cards translate="title"> <title>Sage Pay Token Cards</title> </token_cards> </children> </sagepay> </children> </sales> </children> </admin> </resources> </acl>

So as an example, the resource path for the dashboard would be sales/sagepay/dashboard – I think…

This should work for all other modules affected by the SUPEE 6285 bug.

You’ll need to go into the source for any Adminhtml controllers and set up the correct ACL rules in an _isAllowed() method for each one until they release an update for their module (which some, presumably, never will).