Skip to main content
Blog General

Applying Security Patches In Magento- Lessons Learnt

Gayathri Nithyashankar
April 27, 2016 |
Security-Patches-Magento-600-315

Migrate to Magento 2 as it is important to apply these security patches immediately as your Magento store can become vulnerable to hacker attacks that may compromise your data.

Magento has released a few security patches to make the Magento 1.x framework more secure. It is important to apply these security patches immediately because your Magento store can become vulnerable to hacker attacks that may compromise your data.

While applying these security patches, you may face some challenges. This article , based on our lessons learnt when applying the following Magento security patches

  • SUPEE 6285
  • SUPEE 6788
  • SUPEE 7405
Applying Security Patches In Magento- Lessons Learnt
Access Denied for Non-Admin Users

‘Access Denied’ issue may arise after applying the security patch – SUPEE 6285.

Any third party extension that introduces Adminhtml pages needs a new_isAllowed method in its controllers that set up proper access control layers for its functioning.

Any person trying to access the third party extension that has a user role with anything less than administrator permissions will not be able to access those pages, no matter what permissions they have!!

SOLUTION:

The first step is to check the admin side, navigate to System > Permissions > Roles on the “Role Resources” tab make sure it’s set to ‘All‘.

image1

This issue can be solved in two ways:


Method 1:

You can directly go into every third party module and change the following code in the following file 

Namespace/module/etc/adminhtml.xml

Copy all the content below the menu tag and place them under tag.

 Place this acl content at the last line of your file .

If you can’t keep on editing every third party modules that you have on your site, you can simply override your core controller. Controllers can only be overridden .

Controller has to be handled with care.

Method 2:

To override a core controller please follow the below-given steps:

Step1:

Create a module installation file and paste code given below…

app/etc/modules/Namespace_modulename.xml

Step 2:

Now create the configuration file for your module.

app/code/local/Dckap/Override/etc/config.xml

Step 3:

The last step is to create the controller file to be overridden in the below-given path

app/code/local/Dckap/Override/Controller/Action.php

Here we have overridden the Action.php file in core controller.

 Clear the cache and now try to log in.

Unable to Reset Password

‘Unable to Reset Password’ issue may arise after applying the security patch – SUPEE 6788.

After applying the patch if your user is not getting the mail for the reset password functionality then the issue is with the customer.xml file.

This can be fixed in two simple steps

SOLUTION:

Step 1:

Navigate to System->Configuration->advanced

Empty section. Edit page to add content here.
> system

mail sending settings > Disable Email communication set “ No “ to this tab.

If it’s already set “No” , then navigate to

app/design/frontend/default/yourtheme/layout/customer.xml

app/design/frontend/base/default//layout/customer.xml

Find this code

And replace it with this code

Now check the reset password functionality after clearing the cache .

CMS Blocks Not Displayed

‘CMS Blocks Not Displayed’ issue arises after applying the security patch –SUPEE 6788.
We are using CMS static blocks on our website’s home page. That was working fine before we applied the patch. But after applying security patch they were not working (i.e.) the CMS static blocks were not shown on our homepage.

SOLUTION: 

This issue can be fixed in two simple steps which worked in our case.

Step 1:

Navigate to System > Permission > Block on your admin side and then first create a new block rule just by clicking ” Add New Block”

Then give your Block Name as module_name/template .

Step 2:

Set the value ‘yes’ for “Is Allowed”

The last step is to clear your cache and refresh your front end, now your CMS static blocks added in home page will be shown.

 Events Fail To Trigger

‘Events Fail To Trigger’ may arise after applying the security patch – SUPEE 7405.

We were using events in our custom modules with uppercase letters. The events were working fine before we applied the patch [SUPEE-7405]. But after applying security patch they were not working, which means the events are not triggered in a custom module.

SOLUTION: 

This issue can be fixed in a very simple way which worked in our case.

Step 1:

Change the uppercase letters to lowercase letters in your local observer’s configuration.

The below-given example is the custom module which we used.

E.g.: 

controller_action_predispatch_checkout_cart_couponPost

change to

controller_action_predispatch_checkout_cart_couponpost

        To

These are lessons learnt from our experience. We are happy to share this with you. Let us know your feedback and comments.

Gayathri Nithyashankar

More posts by Gayathri Nithyashankar