Adding More Flexibility to Magento Access Control Lists

Magento Access Control Lists
Reading Time: 2 minutes

Sometimes you may need to let customers manage products section in your store BUT limit their ability to delete them. However, by default, Magento allows you to change only one permission that called ‘Manage product’. That’s quite a limitation and doesn’t allow us to solve this problem.

Read on to learn how to create additional permission, like ‘Add’, “Edit’, or ‘Delete’, etc.

We’ve created a little module with an observer and a new ACL rule that will let you extend the default Magento functionality.

Here is the adminhtml.xml file:

<?xml version="1.0"?>
                                    <delete translate="title">
                                        <title>Delete Products</title>

Also, we added a new ACL ‘Manage Products’ section with the ’Delete Products’ section inside.


You can repeat this for other actions that you may want to limit for customers.

Then, we need the observer where to check if the action is permitted or redirect the Admin back if not. As in the previous case, you can extend this functionality.

Declare the observer in the modules’ config.xml file in the adminhtml section:


We’ve used two known actions to delete products: simple delete and delete with mass clearance. Both are available in the products grid.

The same observer and its method is used because there are no differences between the checks and result. When expanding this functionality, keep in mind that the observer’s name should be unique (delete_product_acl and massdelete_product_acl in our case).

Now, we need to complete the method in the observer.

Here is the Observer.php file:


class Test_Module_Model_Observer

    public function isDeletionAllowed($observer)
        $isAllowed = Mage::getSingleton('admin/session')->isAllowed('catalog/products/delete');
        if (!$isAllowed) {
            /** @var $controller Mage_Core_Controller_Varien_Action */
            $controller = $observer->getData('controller_action');
            Mage::getSingleton('adminhtml/session')->addError(Mage::helper('test')->__('Delete action is not allowed'));

Let’s look through this method line by line:

$isAllowed = Mage::getSingleton('admin/session')->isAllowed('catalog/products/delete');

We got the validation result for the current Admin using our ALC for ‘Delete’.

In case you are logged in under Superadmin, the check will be ignored and always return ‘true’. That’s why it is required to create a new Admin (but not Superadmin!) to run the check.

Next goes the if (!$isAllowed) check.

If it is successfully passed and the rule is not available to the current Admin,  reset the following execution of the current action for the current Controller. Also, give the redirect back in response to the index action of the current Controller with the ‘Delete action is not allowed’ error display.

You can change the redirect page by replacing the path $controller->getUrl(‘*/*/’) to any other, where the first * is route, and the second * is controller. The third and missed * is the controller’s action, when we miss value like in the example it is indexAction.

You can change the result and show 404 page, for example, or send an email to the Superadmin about the actions of the current Admin.

original (1) original (2)Additionally, you can add the same check for the default blocks drawing in the Admin panel AND hide its buttons. If you are interested to learn how to do that, please let me know (in the comments section below) and we will write about that in a separate blog post.

Hence, the basics of such a module are quite obvious and the following development is limited only to one’s development resources.

Hey! I'm Ian, a senior developer at Webtex/MageWorx. I've been working with Magento for 5 years and I absolutely love it! In my posts I'm share my knowledge and experience of working with the platform. Hope, they'll help you solve the issues you have and optimize your store workflow.


Please enter your comment!
Please enter your name here