A third party Adwords professional requested a read only access to Magento admin panel, which raised the question to me: how to create a Magento admin panel user with read only privilege?
I am keen to do this job via ACL. Magento ACL role resources start from module to controller to action, I can not differentiate read/write privilege at the root level of role resources. It means it involves a lot of hassle coding up ACL in adminhtml.xml when creating a role with read access to all modules, because I have to code for every action, for example, indexAction is a read role resource, saveAction is a write role resource, editAction can be a write role resource if it actually saves data itself, or be a read role resource if post data are posted to saveAction.
Luckily, in my case, the Adwords professional only requested access to two modules – Catalog and Reports. As for Reports module, I treat the whole module as read only, so I simple check “Reports” node in the role resources tree.
As for Catalog module, the Adwords professional only requested to view product list, so I create several children of “Manage Products” node. The children map to all actions in Mage_Adminhtml_Catalog_ProductController, for example, product list maps to indexAction, product detail maps to editAction, product add and update maps to saveAction. I check indexAction node. I could check editAction (because it is read only process) as well but the Adwords professional did not see its necessity.
The last thing left to do is differentiating privilege by role resources node. It is a very simple change – override Mage_Adminhtml_Catalog_ProductController’s _isAllowed() method from
protected function _isAllowed() { return Mage::getSingleton('admin/session')->isAllowed('catalog/products'); }
to
protected function _isAllowed() { $action = $this->getRequest()->getRequestedActionName(); return Mage::getSingleton('admin/session')->isAllowed('catalog/products/'.$action); }
I think there may be another to differentiate read and write role resource using ACL, because when I look at a sample adminhtml.xml file, it says
<acl> <resources> <all> <title>Allow Everything</title> </all> </resources> </acl>
What does it means? Does it imply I can do something like
<acl> <resources> <read> <title>Read only</title> </read> <write> <title>Read and write</title> </write> </resources> </acl>
?
thank you, that was helpful.
And good question at the end. I always wondered what “all” would mean as a node.