User rights for plugins without ACL support


Sometimes it occurs, that a plugin from the Shopware Store is not campatible with our user management and don't provide an ACL resource. In some cases you might still not want all users to have access to the menu item of the plugin. In this tutorial we explain how you can hide the menu item through a manual configuration in the backend.

Identification of the controller

First you need the controller that is used in the backend when a user clicks the menu item. This you can  identify with a tool like Firebug (Firefox Add-On) or the Chrome-debugger (F12). In our example we use the plugin "Business Essentials" as example. The Business Essentials controller we need is the GET-Parameter /backend/BusinessEssentials?...


In Firebug you can either see the url in the tab Console or the Tab Network. You should clear the view complete to get a clear list of requests, then click on the menu item in the backend. The first GET-parameter should be the correct URL for the menu item.


The Chrome-debugger is similar to this. Here you can also find the information in the tab Network.

Creation of the user rights

With the URL you know the exact controller-name. In the case of Business Essentials this is BusinessEssentials. The parameters that occur after the "?" in the GET call can be ignored. Please keep in mind that the call can differ from the plugin name! Knowing the controller name you can create a new rule & permission at Configuration > User administration. To do this, open the menu item "Edit rules & permissions" and chose a role there, afterwards you can add a new permission for Business Essentials using "Add resource". For the naming of the resource it is important to exactly type the lowercase of the controller name.

In our example this is businessessentials. Create a resource with the name businessessentials and add the privilege read. All roles that shall be able to see the menu item have to get the privilege read. For the roles, who shall not see the menu item, the whole resource has to be deactivated. All further functions in the user administration have to be individually implemented in the pluign and are not possible without programming.

Hiding the main menu

It is also possible to hide the main menu entries. For this you have to read the controller name from the s_core_menu for the menu entry and create it in lower-case as resource as described above.

Was this article helpful?