Fixed ability to save config by a user with limited access (#496)

Related to configs that uses 'config_path' parameter only - payment config section for example.
OpenMage · Jun 23, 2019 · 3db1bfc · 3db1bfc
1 parent 097ef2d
commit 3db1bfc
Showing 1 changed file with 26 additions and 1 deletion.
diff --git a/app/code/core/Mage/Adminhtml/Model/Config/Data.php b/app/code/core/Mage/Adminhtml/Model/Config/Data.php
@@ -168,7 +168,8 @@ public function save()
                 if (is_object($fieldConfig)) {
                     $configPath = (string)$fieldConfig->config_path;
                     if (!empty($configPath) && strrpos($configPath, '/') > 0) {
-                        if (!Mage::getSingleton('admin/session')->isAllowed($configPath)) {
+                        $parts = explode('/', $configPath);
+                        if (!$this->_isSectionAllowed($parts[0])) {
                             Mage::throwException('Access denied.');
                         }
                         // Extend old data with specified section group
@@ -244,6 +245,30 @@ public function extendConfig($path, $full = true, $oldConfig = array())
         return $extended;
     }
 
+    /**
+     * Check if specified section allowed in ACL
+     *
+     * Taken from Mage_Adminhtml_System_ConfigController::_isSectionAllowed
+     *
+     * @param string $section
+     * @return bool
+     */
+    protected function _isSectionAllowed($section)
+    {
+        try {
+            $session = Mage::getSingleton('admin/session');
+            $resourceLookup = "admin/system/config/{$section}";
+            if ($session->getData('acl') instanceof Mage_Admin_Model_Acl) {
+                return $session->isAllowed(
+                    $session->getData('acl')->get($resourceLookup)->getResourceId()
+                );
+            }
+        } catch (Exception $e) {
+            return false;
+        }
+        return false;
+    }
+
     /**
      * Validate isset required parametrs
      *