User Role doesn't work as intended
-
16-10-2019 - |
Question
Creating a user role to access only the VIEW action under sales order, does not deny the user from editing the billing and shipping address in the order information page.
Is there a way to fix it?
Solution
Create your own controller replacing
Mage_Adminhtml_Sales_OrderController
.In your controller, create an
_isAllowed
method:/** * Acl check for admin * * @return bool */ protected function _isAllowed() { $action = strtolower($this->getRequest()->getActionName()); $aclResource = null; switch ($action) { case 'addressSave': case 'address': $aclResource = 'sales/order/actions/address'; break; } if ($aclResource !== null) { return Mage::getSingleton('admin/session')->isAllowed($aclResource); } return parent::_isAllowed(); }
In your
adminhtml.xml
, add this:<config> <acl> <resources> <admin> <children> <sales> <children> <order> <children> <actions> <children> <address translate="title"><title>Edit Address</title></address> </children> </actions> </children> </order> </children> </sales> </children> </admin> </resources> </acl> <config>
Now you can enable and disable the edit address screen for users.
If you want to hide the link from these users, you can copy
app/design/adminhtml/default/default/template/sales/order/view/info.phtml
to your custom admin theme and replace<div class="tools"><?php echo $this->getAddressEditLink($_order->getBillingAddress())?></div>
with something like this:
<?php if (Mage::getSingleton('admin/session')->isAllowed('sales/order/actions/address')): ?> <div class="tools"><?php echo $this->getAddressEditLink($_order->getBillingAddress())?></div> <?php endif; ?>
and do the same for the shipping address. Ideally you put the call to the singleton in your own block class but I put the code in the template file for the sake of brevity.