Mohamed Abbas | Architect Magento | Tech Blogger | Magento Trainer

Mohamed Abbas
Mohamed Abbas
Architect Magento | Tech Blogger | Magento Trainer

How to Restrict Access to Your Module via Magento 2 ACLs

 

Introduction: As an eCommerce store owner or administrator, securing your Magento 2 platform is crucial. One of the key aspects of this security is managing user access to different modules in the admin panel. Magento 2 provides a powerful feature called Access Control Lists (ACLs), which allow you to restrict access to custom modules, ensuring only authorized users have access to certain resources. In this guide, we’ll walk you through the process of using ACLs to restrict access to your custom module in Magento 2, from creating an ACL file to testing and verifying the access restrictions.

Table of Contents:

~ Understanding Access Control Lists (ACLs)

~ Creating the acl.xml file

~ Defining Resources and Permissions

~ Managing Menu Items

~ Implementing ACL Rules

~ Testing and Verifying Access Restrictions

~ Conclusion

1. Understanding Access Control Lists (ACLs)

An Access Control List (ACL) is a list of rules specifying which users are granted or denied access to certain resources. In Magento 2, ACLs allow you to manage access to modules, menus, and actions within the admin panel, granting you control over who can access specific features.

Types of ACLs:

  • File System ACLs: These control access to files and directories, defining user access permissions and privileges within an operating system.

  • Networking ACLs: These manage network access, specifying the types of traffic allowed to interact with the network.

In Magento 2, ACLs are organized hierarchically, which enables you to set up granular access controls. This structure helps strengthen the security of your store by restricting unauthorized access to sensitive modules and actions.

2. Creating the acl.xml File

To begin setting up access control for your custom module, you’ll need to create an acl.xml file. This file defines the resources and permissions associated with your module and should be placed in your module’s etc/adminhtml directory.

Example of an acl.xml file:

				
					<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <acl>
        <resources>
            <resource id="Magento_Backend::admin">
                <resource id="Vendor_Module::module_root" title="Custom Module Root" sortOrder="10">
                    <resource id="Vendor_Module::view" title="View" sortOrder="10"/>
                    <resource id="Vendor_Module::edit" title="Edit" sortOrder="20"/>
                </resource>
            </resource>
        </resources>
    </acl>
</config>

Explanation:

  • resource id="Magento_Backend::admin": This is the root level for Magento admin permissions.
  • resource id="Vendor_Module::module_root": This defines a parent resource with a custom ID (Vendor_Module::module_root) for your module.
  • resource id="Vendor_Module::view" and resource id="Vendor_Module::edit": These are child resources that define specific permissions for viewing and editing within your module.

3. Defining Resources and Permissions

Resources represent elements within the admin panel (e.g., modules, actions). You can control access to resources by associating them with ACLs in the acl.xml file.

Defining Permissions:

  1. Admin Role Permission Levels: Assign permissions to different resources based on roles like view, edit, or delete.

  2. Resource Hierarchies: Use a hierarchical structure where top-level resources contain sub-resources.

Example:

				
					<resource id="Vendor_Module::module_root" title="Custom Module Root">
    <resource id="Vendor_Module::view" title="View"/>
    <resource id="Vendor_Module::edit" title="Edit"/>
</resource>

In this example, only users with the view or edit permissions for this module root can access the respective features in your custom module.

4. Managing Menu Items

Menu items linked to your ACL resources will only be visible to users with the required permissions. To create menu items, use the menu.xml file in etc/adminhtml.

 

Example of a menu.xml file:

				
					<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Backend:etc/menu.xsd">
    <menu>
        <add id="Vendor_Module::module_menu" title="Custom Module" module="Vendor_Module" sortOrder="10" parent="Magento_Backend::content" resource="Vendor_Module::module_root"/>
    </menu>
</config>

Explanation:

  • id="Vendor_Module::module_menu": The menu item’s unique identifier.
  • resource="Vendor_Module::module_root": Associates this menu item with the root ACL resource, making it visible only to authorized users.

5. Implementing ACL Rules

To enforce access restrictions, you need to map resources in your code to ACL rules defined in acl.xml. This is generally done in the controllers for your module.

 

Example of Controller with ACL Check:

				
					namespace Vendor\Module\Controller\Adminhtml\Example;

use Magento\Backend\App\Action;
use Magento\Framework\Controller\ResultFactory;

class Index extends Action
{
    const ADMIN_RESOURCE = 'Vendor_Module::view';

    public function execute()
    {
        if (!$this->_authorization->isAllowed(self::ADMIN_RESOURCE)) {
            $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
            $resultRedirect->setPath('admin/dashboard');
            return $resultRedirect;
        }
        
        // Controller logic here
    }
}

Explanation:

  • const ADMIN_RESOURCE: Defines the ACL resource (Vendor_Module::view) required to access this action.
  • $this->_authorization->isAllowed: Checks if the user has the necessary permissions.

6. Testing and Verifying Access Restrictions

Thorough testing is essential to verify that your ACLs work as expected. Here are some key steps:

 

  1. Login with Different User Roles: Create user roles with various permissions and confirm that only users with the appropriate access can interact with your module.

  2. Check Menu Visibility: Ensure menu items are only visible to authorized users.

  3. Attempt Unauthorized Access: Try accessing your module with insufficient permissions to confirm it redirects or denies access as expected.

Troubleshooting Tips:

  • Clear the Cache: After updating ACL files, clear the cache to reflect changes.

  • Use the Developer Mode: This can help identify errors or misconfigurations in your ACL setup.

Conclusion

Securing access to your Magento 2 modules with ACLs is a vital step in protecting your store’s data and ensuring only authorized users can perform certain actions. By creating an acl.xml file, defining resources, managing menu items, implementing ACL rules, and thoroughly testing, you can effectively restrict access to sensitive functionalities within the admin panel. Following these best practices helps prevent unauthorized access and maintain a secure Magento 2 store.

 

Take Action: Try implementing these ACLs in your own Magento 2 environment to see the security benefits firsthand. By doing so, you’re taking an essential step toward a safer, more manageable eCommerce store.