From 3db1bfc19853f7510280a1a409a40c17d7c37ad5 Mon Sep 17 00:00:00 2001 From: Vova Yatsyuk Date: Sun, 23 Jun 2019 19:42:00 +0200 Subject: [PATCH] Fixed ability to save config by a user with limited access (#496) Related to configs that uses 'config_path' parameter only - payment config section for example. --- .../core/Mage/Adminhtml/Model/Config/Data.php | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/app/code/core/Mage/Adminhtml/Model/Config/Data.php b/app/code/core/Mage/Adminhtml/Model/Config/Data.php index f8f31a11e22..4b4a8e4f881 100644 --- a/app/code/core/Mage/Adminhtml/Model/Config/Data.php +++ b/app/code/core/Mage/Adminhtml/Model/Config/Data.php @@ -168,7 +168,8 @@ public function save() if (is_object($fieldConfig)) { $configPath = (string)$fieldConfig->config_path; if (!empty($configPath) && strrpos($configPath, '/') > 0) { - if (!Mage::getSingleton('admin/session')->isAllowed($configPath)) { + $parts = explode('/', $configPath); + if (!$this->_isSectionAllowed($parts[0])) { Mage::throwException('Access denied.'); } // Extend old data with specified section group @@ -244,6 +245,30 @@ public function extendConfig($path, $full = true, $oldConfig = array()) return $extended; } + /** + * Check if specified section allowed in ACL + * + * Taken from Mage_Adminhtml_System_ConfigController::_isSectionAllowed + * + * @param string $section + * @return bool + */ + protected function _isSectionAllowed($section) + { + try { + $session = Mage::getSingleton('admin/session'); + $resourceLookup = "admin/system/config/{$section}"; + if ($session->getData('acl') instanceof Mage_Admin_Model_Acl) { + return $session->isAllowed( + $session->getData('acl')->get($resourceLookup)->getResourceId() + ); + } + } catch (Exception $e) { + return false; + } + return false; + } + /** * Validate isset required parametrs *