README

Overview

This module extends the default Magento 2 admin user role logic by adding an "Access Control" mode. It allows administrators to choose between "Allow" (default whitelist behavior) and "Deny" (blacklist behavior) for each role.

Features

Access Control Mode: A new fieldset on the Role Resources tab (right above the Roles Resources fieldset) with two options:
- Allow: Default Magento behavior. Selected resources are whitelisted.
- Deny: Selected resources are restricted (blacklisted). Any resource NOT selected will be allowed.
Persistent Storage: Saves the access control mode in the authorization_role table.
Dynamic Policy Enforcement: Uses a plugin on Magento\Framework\Authorization\Policy\Acl to intercept permission checks and apply the "Deny" logic when necessary.

Installation

Upload the module files to app/code/Taurus/AdminPermissions.

Run the following commands from the Magento root:

php bin/magento setup:upgrade
php bin/magento cache:clean

Technical Implementation Details

Composer: Defined in composer.json as taurus-media/module-admin-permissions.
Schema: Adds access_control column to authorization_role (0 = Allow, 1 = Deny).
UI Extension: Adds a separate fieldset with the "Access Control" field to the Role Resources tab by injecting a child block into adminhtml.user.tab.rolesedit. This avoids overwriting the default Magento template.
Data Persistence: Taurus\AdminPermissions\Observer\RolePrepareSaveObserver ensures the value is saved during role creation/update.
Permission Logic: Taurus\AdminPermissions\Plugin\AclPolicyPlugin handles the inversion of isAllowed checks for roles in "Deny" mode.
Source Model: Taurus\AdminPermissions\Model\Config\Source\AccessControl provides constants and options for the access control mode.

Compatibility

Magento 2.4+
Requires Magento_User and Magento_Authorization modules.

taurus-media / module-admin-permissions

Maintainers

Package info

Statistics

Security