Magento Security – Magento Blog https://blog.extendware.com by ExtendWare Fri, 22 Nov 2024 11:28:58 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 https://blog.extendware.com/wp-content/uploads/2022/02/cropped-android-chrome-384x384-1-32x32.png Magento Security – Magento Blog https://blog.extendware.com 32 32 How to Add ACL (Access Control Lists ) in Magento 2: A Step-by-Step Guide https://blog.extendware.com/how-to-add-acl-access-control-lists-in-magento-2-a-step-by-step-guide/ Fri, 22 Nov 2024 10:46:20 +0000 https://blog.extendware.com/?p=2335 Read more]]> In Magento 2, the Access Control List (ACL) system helps store owners manage user permissions for various actions in the admin panel. This ensures that only authorized users can access certain sections or perform specific tasks. However, you might have situations where you want to add actions to the ACL that are not part of the menu system. In this blog post, we will walk through the process of adding such actions to the ACL in Magento 2 and how to check user permissions programmatically.

What is ACL in Magento 2?

ACL is a security feature in Magento 2 that controls what each user role can access or modify in the admin area. It defines which pages, actions, and resources a user is allowed to interact with, providing a way to manage permissions and secure your store’s backend. Magento uses ACL rules to govern permissions in both the admin panel and web API calls.

Step 1: Create the menu.xml File

The first step is to create a menu for your custom functionality. Even if you don’t have a menu item but still want to restrict access to certain actions, creating a menu.xml file will help you manage your module’s admin interface.

Here’s an example of a simple menu.xml file that adds a menu item to your module:

<?xml version="1.0" encoding="UTF-8"?>
<menu xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/menu.xsd">
    <add id="Vendor_CustomModule::main_menu"
         title="Custom Module"
         module="Vendor_CustomModule"
         sortOrder="100"
         parent="Magento_Backend::content"
         action="Vendor_CustomModule::index"/>
</menu>

This XML file creates a new menu item in the admin panel. When an admin creates a new role, they can assign permissions to this menu item.

Step 2: Define ACL Rules in acl.xml

Once the menu is set up, the next step is to define ACL rules. This is done in the acl.xml file, which is used to declare resources required for accessing actions in the admin panel.

Here’s an example acl.xml for defining ACL rules in your module:

<?xml version="1.0" encoding="UTF-8"?>
<acl xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <resources>
        <resource id="Magento_Backend::admin">
            <resource id="Vendor_CustomModule::config" title="Manage Custom Module Configuration" />
        </resource>
    </resources>
</acl>

In this example, the Vendor_CustomModule::config resource is defined, which controls access to the configuration page of your module. Admin users can be assigned permission to this resource when creating roles.

Step 3: Programmatically Check ACL Permissions

Now that your ACL rules are defined, you can check if the logged-in user has permission to access specific actions. Magento provides a service called Magento\Framework\AuthorizationInterface to check if a user has permission for a given resource.

Here’s how to use it in your code:

public function __construct(
    \Magento\Framework\AuthorizationInterface $authorization
) {
    $this->authorization = $authorization;
}

public function checkPermission()
{
    if ($this->authorization->isAllowed('Vendor_CustomModule::config')) {
        // User is allowed to access the configuration page
    } else {
        // User does not have permission
    }
}

In this example, the code checks if the user has permission for the Vendor_CustomModule::config resource, which is defined in the acl.xml file.

Step 4: Secure Non-Menu Actions

Sometimes, you may want to secure actions that are not part of the menu, like custom actions or API endpoints. You can still protect these actions using ACL by declaring them in acl.xml and checking permissions before allowing access.

Here’s how to check permissions for a custom API action:

public function someApiAction()
{
    if ($this->_authorization->isAllowed('Vendor_CustomModule::api_action')) {
        // Proceed with the action
    } else {
        // Deny access
    }
}

Conclusion

Adding actions to the ACL in Magento 2 is an effective way to ensure that only authorized users can access certain parts of your admin panel, even if those actions are not part of the standard menu. By following the steps outlined in this guide, you can secure your custom functionalities and protect sensitive actions from unauthorized access.

Magento’s ACL system provides a flexible and powerful way to manage user permissions. Whether you’re adding menu-based actions or securing non-menu actions, Magento’s ACL system ensures that your admin panel remains secure and controlled.

]]>
Starting a Store on Magento: Time-Saving Tips https://blog.extendware.com/starting-a-store-on-magento-time-saving-tips/ Thu, 12 May 2016 18:33:15 +0000 https://blog.extendware.com/?p=893 Read more]]> For businesses looking to establish an e-commerce store, Magento is an indispensable tool. As an open-source platform, Magento can be adapted to meet the needs of individual businesses. Big brands and small businesses alike can use Magento to create a profitable and user-friendly online storefront.

But while anyone can go to Magento’s website and set up a basic store, creating a successful e-commerce business can be considerably harder.

Magento offers so many different options for customization that many new users feel overwhelmed and intimated. So many different tasks go into running a successful online store:  SEO, web design, marketing, and many more. Magento extensions help online business owners to complete necessary tasks on time and without hassle. Here are some common problems that Magento users encounter—and how extensions can help solve them:

Lagging Loading Times

All research suggests that today’s web users are more impatient than ever. If an online store takes too long to load, visitors to your site won’t buy. While you can’t always control the speed with which users browse your site, there are ways to lower your load times. An extension such as the Full Page Cache will speed up your site by caching it whenever a user visits. This extension serves as a replacement to expensive investments in hardware.

Google Analytics Overload

Traffic is essential to the success of your business, so it can be tempting to visit Google Analytics constantly. But this is an inefficient use of time. With the Google Analytics Dashboard extension, you can see your Google Analytics data right from your dashboard.

Spam, Spam, and More Spam!

There are bots looking to spam your inbox. If you have a contact page on your website, you may be vulnerable to spam. The Anti-Spam Captcha prevents this annoyance, requiring users to enter a short string of characters before their message goes through.

Conversion Confusion

E-commerce is a global phenomenon, but international customers may be turned off if they can’t easily figure out how much they will need to pay for a particular item. Customers also may be unaware that you have separate storefronts for buyers from different countries. The Store/ Currency Switcher extension will enable your Magento store to redirect to the correct storefront.

Abandoned Carts

The bane of every online retailer, abandoned carts can seriously reduce your profits. In 2015, the average rate of cart abandonment was a whopping 68%, meaning that more than two-thirds of online orders were never completed. For e-commerce business owners, few things can be more frustrating. But with the Abandoned Cart Email extension, you can send a friendly reminder e-mail to customers who abandon their carts on your store. The e-mail sequence can be completely customized. You can even include a coupon for customers to incentivize them to complete their purchase.

 

Running an online store is already difficult. By making strategic use of Magento extensions, you can make better use of your resources and increase the profits of your online store.

All ExtendWare extensions come with the option to return within return within 30 days and receive a full refund —making this investment risk-free.

]]>
Magento Security Patch SUPEE-6788 installation https://blog.extendware.com/magento-security-patch-supee-6788-installation/ Thu, 22 Oct 2015 18:40:25 +0000 https://blog.extendware.com/?p=486 Read more]]> Magento has released a new security patch that affects many parts of Magento and as a result will affect your store. You should use various good practices when installing this patch or else it will negatively affect your store.

Preparing to install the SUPEE-6788 patch

Before you install the Magento security patch you MUST install all previous security patches. This will ensure that it can be properly installed. In addition, you should follow these other recommendations:

  1. Create a development environment and install the patch there first. The patch causes many core Magento changes that will break extensions and customizations
  2. Only after your development environment has been fully tested should you move the changes to production

What are some of the behavior changes of Magento after the patch?

  1. Bypassing the admin.html module for admin URLs will no longer work. Any extension that does this will no longer work after installing the patch.
  2. SQL field names and quoted field names will no longer be allowed with collection filtering. Any extension that makes use of this will not work after the patch
  3. The magento CMS system now uses a whitelist system of allowed block / config directives

If you are using any extensions that are affected they will not work. So, ensure you wait to update until any of these issues are resolved with your store.

Okay, I am ready. What are the installation steps?

Download the patch and you will have an sh file. Upload this to your magento root directory and run the following in shell. Replace [file name] with the actual name of the downloaded sh file.

sh [file name]

]]>
Secure Magento admin login with two-factor authentication https://blog.extendware.com/secure-magento-admin-login-with-two-factor-authentication/ Tue, 14 Jul 2015 21:53:39 +0000 https://blog.extendware.com/?p=469 Read more]]> Two-Factor-AuthenticationTwo-Factor Authentication is a great way to secure your Magento admin area. Imagine if a hacker or someone else gains access to your backend? Not only could they destroy data and harass customers, but they could steal valuable business data and the end result could be customers lose confidence in your store. The best two factor authentication is using Google authenticator for Magento.

What is two-factor authentication?

Two-factor authentication increases the security of your Magento login by requiring an additional authentication method. Normally, you would input your password only. With two-factor authentication that is compatible with Google authenticator you would also input a 1 time access code in addition. This access code changes every 60 seconds, so it is nearly impossible to hack your login. By combining these two methods (two factors) your login is much more secure.

How do I enable two factor authentication for Magento?

You should install the Two-Factor Authentication Magento Extension for your store and then go to System -> Permissions -> Users and enable it for specific users.

Great! What else can I do for a secure backend?

In addition to using the Google Authenticator Magento extension you can change your store admin URL. Leaving your store admin URL at yourstore.com/admin is bad for security. To resolve this, simply edit the file at app/etc/local.xml and change contact us.


Quick Overview

Protect your store from key loggers, connection sniffing, unprotected wifi connections, and other threats with our two-factor authentication system. If you ever login to your store over wifi or on a public computer, then you urgently need this extension.


]]>
Magento Bot Blocker and Anti-Spam Captcha Released https://blog.extendware.com/magento-captcha-released-0912/ Sun, 30 Sep 2012 16:23:45 +0000 https://blog.extendware.com/?p=89 Read more]]> Extendware’s Magento Anti-Spam Captcha is important for every store because spam reduces productivity, wastes server resources, and can make your site look unprofessional (in the case of spam reviews that advertise other Web sites). Magento Anti-spam Captcha fixes this by putting a CAPTCHA on your most important forms.

The only problem is that CAPTCHAs can annoy users and discourage your customers from performing certain activities. We have worked to solve this by implementing three new features in Spam and Bot Protection:

  • OpenCaptcha Support – Previously, only Google reCAPTCHA was supported, which some users found too difficult. Now we support OpenCaptcha, which is much easy for users to solve while still protecting from bots (reCAPTCHA is still supported for those that want it).
  • Unlocked Actions – After solving 1 CAPTCHA, you may configure for the next X actions to NOT require a CAPTCHA. This means that if a user writes a review on your Web site and solves a CAPTCHA, this will prove they are human. They will not be asked to solve another CAPTCHA until they perform X actions (X more reviews, X more contacts, etc).
  • Only Ask Guests – This feature has always existed, but has been under utilized. With this option only customers who are not logged in will be asked to solve a CAPTCHA. Logged in customers will not be asked.

With these changes we are confident that your store will find a better balance between protection from spammers and bots and between ensuring the user experience of your live, human customers is as good as possible.

]]>