Restrict admin user permissions per field in Magento
https://magento.stackexchange.com//questions/79139
-
13-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is it possible to restrict an admin user on a field basis? For example I would like some users to edit stock of a product and the short description however I don't want them to be able to change fields like the product name and sku
Solution
I don't have a fully functional way of doing this, but I might have an idea.
If you take a look at the Mage_Adminhtml_Block_Catalog_Product_Edit_Tab_Attributes class, the one that renders the attribute tabs on the products add/edit page, you will see this in the _prepareForm method
if (Mage::registry('product')->hasLockedAttributes()) {
foreach (Mage::registry('product')->getLockedAttributes() as $attribute) {
$element = $form->getElement($attribute);
if ($element) {
$element->setReadonly(true, true);
}
}
}
This means that if the method getLockedAttributes from the product model, returns an array with attribute codes, they will be readonly in the form. This gives you the client side validation.
The same getLockedAttributes is used to check if you are allowed to set values for certain attributes for products and categories in Mage_Catalog_Model_Abstract::setData. This gives you the server side validation.
This means that you can create an observer on the product model's load method catalog_product_load_after where you retrieve (from somewhere...I don't know yet where from) the list of restricted attribute codes put them in an array called $locked then set them on the product model.
Something like this:
public function catalogProductLoadAfter($observer)
{
$locked = Magic happens here and you get from somewhere the list of attributes that the current user is not allowed to modify.
$product = $observer->getProduct();
foreach ($locked as $code) {
$product->lockAttribute($code);
}
return $this;
}
now the "magic" part.
My idea would be to have a separate admin section where for each admin you can dictate if an attribute can be edited by that certain admin.
Then retrieve for the current admin the list of allowed attributes.
