Magento 2 Admin ACL
Magento 2 Admin ACL panel utilizes an authentication system along with a robust framework for creating Access Control List Rules (ACL). This allows a store owner to create fine-grained roles for each user in their system. In this article, we will explore how it works and how to add ACL for our custom module.
Magento 2 Access Control List Rules
The Magento 2 Admin ACL resources are visible under the Magento 2 admin System > Permissions > User Roles area. When we click on the Add New Role button or access a role, the page will look like this:
In this resources tab, you can see a tree-list of all the available resources in your system. You can choose all resources or some of them for this role and select the users for this role in the Role Users tab. All users who belong to this role will have limited access to the resources you choose; they cannot see or access any others.
Step 1: Create ACL Rule
Now, we will see how to add our module to the ACL role. We will use the previous simple module HelloWorld to do this. As mentioned in the Admin Menu and System Configuration articles, there is always a resource attribute when creating a menu item. We need to register those resources with the system so that Magento recognizes them and allows us to set roles for them. To register the resource, we use the acl.xml file, located in app/code/{namespace}/{module}/etc/acl.xml. Let’s create this file for our simple module:
File: app/code/Mavenbird/HelloWorld/etc/acl.xml
Contents would be:
<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd"> <acl> <resources> <resource id="Magento_Backend::admin"> <resource id="Mavenbird_HelloWorld::helloworld" title="Hello World" sortOrder="51"> <resource id="Mavenbird_HelloWorld::post" title="Posts" sortOrder="10"/> <resource id="Mavenbird_HelloWorld::helloworld_configuration" title="Configuration" sortOrder="99"/> </resource> <resource id="Magento_Backend::stores"> <resource id="Magento_Backend::stores_settings"> <resource id="Magento_Config::config"> <resource id="Mavenbird_HelloWorld::helloworld_config" title="Hello World"/> </resource> </resource> </resource> </resource> </resources> </acl> </config>
Our resource will be placed as a child of Magento_Backend::admin. Each resource will have an Id, title, and sortOrder attribute:
Id attribute is the identifier of this resource. You can use this when defining resources in the Admin menu, configuration, and limiting access to your module controller. This is a unique string and should be in the format: Vendor_ModuleName::resource_name.
Title attribute is the label of this resource when displayed in the resource tree.
SortOrder attribute defines the position of this resource in the tree.
After this is done, please refresh the cache and see the result on the resource tree.
Step 2: Flush Magento Cache
To ensure that admin menu items are displayed in the Magento 2 admin, you should flush the Magento 2 cache:
php bin/magento cache:flush
Step 3: Check ACL Rule
There are some places where we can apply the ACL resource to limit access:
- Admin Menu: Place the ACL resource here to hide the menu if it’s not allowed by the store owner.
File: app/code/Mavenbird/HelloWorld/etc/adminhtml/menu.xml
<add id="Mavenbird_HelloWorld::helloworld" title="Hello World" module="Mavenbird_HelloWorld" sortOrder="51" resource="Mavenbird_HelloWorld::helloworld"/>
System configuration: Put the ACL resource to limit access to this section page.
File: app/code/Mavenbird/HelloWorld/etc/adminhtml/system.xml
<section id="helloworld" translate="label" sortOrder="130" showInDefault="1" showInWebsite="1" showInStore="1"> ... <resource>Mavenbird_HelloWorld::helloworld_configuration</resource> ... </section>
We will utilize Mavenbird_HelloWorld::helloworld_configuration in Magento 2 as part of the How to Create System.xml Configuration tutorial.
This resource is also applied within controllers.
In admin controllers, Magento offers an abstract class called Magento\Framework\AuthorizationInterface, which allows you to verify the currently logged-in user's permissions against a specific ACL. You can access this object using the variable: $this->_authorization. In your controller, you should create a protected function to validate the resource:
For example: File: vendor/magento/module-customer/Controller/Adminhtml/Index.php
protected function _isAllowed() { return $this->_authorization->isAllowed('Magento_Customer::manage'); }