"Access denied" for OrderManager actions after applying SUPEE-6285

Magento's security patch SUPEE-6285 has prevented some functionality of Fooman Order Manager (v3.0 and below) from working correctly, resulting in "Access Denied" permission issues.

To fix this issue, there are two steps:

  1. Make the code changes described below
  2. Make sure that all users, including any limited access roles, have access to Sales > Orders if you want these roles to be able to perform the mass actions

OrderManager v2.1.0 and under

In /app/code/community/Fooman/OrderManager/controllers/OrderController.php 

Add 

    protected function _isAllowed()
    {
        return Mage::getSingleton('admin/session')->isAllowed('sales/order');
    }

right after 

class Fooman_OrderManager_OrderController extends Mage_Adminhtml_Controller_Action {

For OrderManager 2.1.0 to 2.1.x 

In /app/code/community/Fooman/OrderManager/controllers/Sales/OrderController.php 

Add 

    protected function _isAllowed()
    {
        return Mage::getSingleton('admin/session')->isAllowed('sales/order');
    }

right after 

class Fooman_OrderManager_Sales_OrderController extends Mage_Adminhtml_Controller_Action {

For OrderManager 2.2.0 to 2.3.x 

In /app/code/community/Fooman/OrderManager/controllers/Sales/OrderManagerController.php 

Add 

    protected function _isAllowed()
    {
        return Mage::getSingleton('admin/session')->isAllowed('sales/order');
    }

right after 

class Fooman_OrderManager_Sales_OrderManagerController extends Mage_Adminhtml_Controller_Action
{

Still need help? Contact Us Contact Us