Magento2: ACL Error - Admin user can't change the attributes set

Created on 8 Apr 2016  路  3Comments  路  Source: magento/magento2

A backend user with permissions to edit products but not attributes set can't select/change the attribute set of the product that is creating/editing, since the ajax call to http://magentohost/admin/catalog/product/suggestAttributeSets/ returns a 403 Forbidden due to insufficient permissions

Steps to reproduce

  1. Log as Admin
  2. Create a new attribute set
  3. Create a basic backend user/role with just product edition permissions
  4. Log out
  5. Log in with that user

  6. Create a new product and try to change se attribute set

    Expected result

  7. The user can select the any attribute set.

    Actual result

  8. The suggest widget isn't populated because the ajax request fails

bug report
Source
picture MauroNigrele

Most helpful comment

Internal issue MAGETWO-53557

picture piotrekkaminski on 27 May 2016
👍2

All 3 comments

Internal issue MAGETWO-53557

piotrekkaminski picture piotrekkaminski on 27 May 2016
👍2

- Update -
Actually, this bug also apply for any "no-admin" user regardless the permissions.

I guess that adding the below code on: \Magento\Catalog\Controller\Adminhtml\Product\SuggestAttributeSets this should be fixed:

    protected function _isAllowed()
    {
        return $this->_authorization->isAllowed('Magento_Catalog::products');
    }

Sorry no time for PR :(

MauroNigrele picture MauroNigrele on 27 May 2016

Fixed in 2.0 branch. Not reproduced in 2.1 and develop.

rganin picture rganin on 22 Jul 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fvillata picture fvillata  路  3Comments
kirashet666 picture kirashet666  路  3Comments
dmitry-fedyuk picture dmitry-fedyuk  路  3Comments
BenSpace48 picture BenSpace48  路  3Comments
algostore picture algostore  路  3Comments