Magento Routing: Using the same frontname for admin and frontend routes

by Robo

A short bio about Robo

Magento Routing: Using the same frontname for admin and frontend routes

I recently noticed an issue with a module, Devinc_Dailydeal, where one of it's pages was redirecting to the same page under the base URL of the admin store. For example, I would visit http://www.myfrontend.com/mymodule and get redirected to https://www.myadmin.com/mymodule.

I looked into the module's config.xml file to check the defined routes. I noticed that there was a route defined under the "frontend" node as well as a route defined under the "admin" node with the frontname "dailydeal".

  1. # File: app/code/community/Devinc/Dailydeal/etc/config.xml
  2. <?xml version="1.0"?>
  3. <config>
  4.     ...
  5.     <frontend>
  6.         <routers>
  7.             <dailydeal>
  8.                <use>standard</use>
  9.                <args>
  10.                    <module>Devinc_Dailydeal</module>
  11.                    <frontName>dailydeal</frontName>
  12.                </args>
  13.            </dailydeal>
  14.        </routers>
  15.     </frontend>
  16.     ...
  17.     <admin>
  18.         <routers>
  19.             <dailydeal>
  20.                  <use>admin</use>
  21.                  <args>
  22.                      <module>Devinc_Dailydeal</module>
  23.                      <frontName>dailydeal</frontName>
  24.                  </args>
  25.              </dailydeal>
  26.         </routers>
  27.     </admin>
  28.     ...
  29. </config>

At first glance, this seemed ok since they are using separate routers. Closer inspection revealed that the Admin router will always be matched first. Routers are processed in a stack on every request. The default routers are Admin, Standard, Cms, then Default. (For more info on Magento's routers, check Alan Storm's blog post). This means that the Admin router runs on every page, not just pages starting with "admin". The Admin router runs first and hits a match first on "dailydeal". It does not know that "dailydeal" has also been specified as a frontname for the Standard router. It just knows that it has found a match and proceeds to route it.

While the Admin router is routing the request, it checks if the URL should be secure. This checks against the Admin store's settings, not the frontend store. If the Admin is set to use secure pages and the admin secure base URL is https and is different from the current URL, a redirect will be issued. This is correct behavior but can cause a lot of confusion.

I looked into a number of other third party modules we have used and noticed a significant number of them use the same frontname for the Standard router and the Admin router. This means that under this set of circumstances, these will all break. In all likelyhood, these modules were never tested in a multi store setup with SSL implemented and never will be.

This behavior only occurs if:

The frontend base URL is different from the admin base URL (If not, it will just redirect to https, which probably won't cause any issues other than possibly broken SSL)
The admin is set to use secure URLs
The secure URL for the admin is actually secure (starts with https)
No redirect is issued if the admin is not set to use secure URLs, even if the base URL is different. This seems like a logic error to me, but we'll leave that be.

The Fix:

Beware, there is a lot of work to be done here and a lot of updates made to third party code, which is sub-optimal. Only do this if your site meets the aforementioned conditions and you are seeing this issue.

There is no simple solution to this. You cannot just change the frontname of the admin route. You must also change the route name. This is because Magento expects both route frontnames and route names to be unique across all routers. Specifically, Mage_Core_Model_Url::getUrl() eventually calls a method on the front controller which retreives the router from the route name, which must be unique or there will be conflicts.

  1. # File: app/code/core/Mage/Core/Controller/Varien/Front.php
  2. publicfunction getRouterByRoute($routeName)
  3. {
  4.     // empty route supplied - return base url
  5.     if(empty($routeName)){
  6.         $router=$this->getRouter('standard');
  7.     }elseif($this->getRouter('admin')->getFrontNameByRoute($routeName)){
  8.         // try standard router url assembly
  9.         $router=$this->getRouter('admin');
  10.     }elseif($this->getRouter('standard')->getFrontNameByRoute($routeName)){
  11.         // try standard router url assembly
  12.         $router=$this->getRouter('standard');
  13.     }elseif($router=$this->getRouter($routeName)){
  14.         // try custom router url assembly
  15.     }else{
  16.         // get default router url
  17.         $router=$this->getRouter('default');
  18.     }
  19.  
  20.     return$router;
  21. }

Here, if the Admin router and the Standard router both have a "dailydeal" route defined, the Admin router will always win, even on frontend pages. Could this be any more convoluted Magento?

Once you change the route name, you will also have to update the layout handles in the adminhtml layout file to match, since they are prefixed with the route name. If you are going to do all of this, why not just fix it correctly...

So here's how to fix it.

Replace the admin route with an injection of your module into the existing adminhtml route.

  1. # File: app/code/community/Devinc/Dailydeal/etc/config.xml
  2. <admin>
  3.     <routers>
  4.         <dailydeal>
  5.             <use>admin</use>
  6.             <args>
  7.                 <module>Devinc_Dailydeal</module>
  8.                 <frontName>dailydeal</frontName>
  9.             </args>
  10.         </dailydeal>
  11.     </routers>
  12. </admin>

Becomes:

  1. <admin>
  2.     <routers>
  3.         <adminhtml>
  4.             <args>
  5.                 <modules>
  6.                     <Devinc_Dailydeal_Adminhtml before="Mage_Adminhtml">Devinc_Dailydeal_Adminhtml</Devinc_Dailydeal_Adminhtml>
  7.                 </modules>
  8.             </args>
  9.         </adminhtml>
  10.     </routers>
  11. </admin>

Update the adminhtml menu actions:

  1. # File: app/code/community/Devinc/Dailydeal/etc/config.xml
  2. <adminhtml>
  3.     <menu>
  4.         <dailydeal module="dailydeal">
  5.              <title>Daily Deal</title>
  6.              <sort_order>71</sort_order>
  7.              <children>
  8.                  <add module="dailydeal">
  9.                      <title>Add Deal</title>
  10.                      <sort_order>0</sort_order>
  11.                      <action>dailydeal/adminhtml_dailydeal/new/</action>
  12.                 </add>
  13.                 ...
  14.             </children>
  15.         </dailydeal>
  16.     </menu>
  17. </adminhtml>

Becomes:

  1. <adminhtml>
  2.     <menu>
  3.         <dailydeal module="dailydeal">
  4.             <title>Daily Deal</title>
  5.             <sort_order>71</sort_order>
  6.             <children>
  7.                 <add module="dailydeal">
  8.                     <title>Add Deal</title>
  9.                     <sort_order>0</sort_order>
  10.                     <action>adminhtml/dailydeal/new/</action>
  11.                 </add>
  12.                 ...
  13.             </children>
  14.         </dailydeal>
  15.     </menu>
  16. </adminhtml>

Replace the adminhtml layout handles:

  1. # File: app/design/frontend/default/default/layout/dailydeal.xml
  2. <dailydeal_adminhtml_dailydeal_index>
  3.     <reference name="content">
  4.         <block type="dailydeal/adminhtml_dailydeal" name="dailydeal"/>
  5.     </reference>
  6. </dailydeal_adminhtml_dailydeal_index>

Becomes:

  1. <adminhtml_dailydeal_index>
  2.     <reference name="content">
  3.         <block type="dailydeal/adminhtml_dailydeal" name="dailydeal"/>
  4.     </reference>
  5. </adminhtml_dailydeal_index>

When working in the admin, the url will now be https://www.myadmin.com/admin/dailydeal

This could mean that you need to make changes elsewhere if there are hardcoded URLs anywhere. I noticed that I had to hard set a form action in one of the modules I was working with.

What can be learned from this?

When writing a module, do not use the same frontname for the Standard and Admin routers. In fact, don't even create an admin router. All URLs in the admin should start with "/admin" (or whatever the admin frontname is configured to). This makes it clear and consistent to users that they are still in the admin.

Instead, inject controllers into the existing "adminhtml" route like this:

  1. <?xml version="1.0"?>
  2. <config>
  3.     ...
  4.     <admin>
  5.         <routers>
  6.             <adminhtml>
  7.                 <args>
  8.                     <modules>
  9.                         <MyNamespace_MyModule_Adminhtml before="Mage_Adminhtml">MyNamespace_MyModule_Adminhtml</MyNamespace_MyModule_Adminhtml>
  10.                     </modules>
  11.                 </args>
  12.             </adminhtml>
  13.         </routers>
  14.     </admin>
  15.     ...
  16. </config>

Then, create your admin controllers at MyNamespace/MyModule/controllers/Adminhtml.

The only caveat with doing this is that you must ensure you don't create any naming conflicts with other admin controllers in core or other third party code. Use a specific and unique controller class name to avoid this.

Magento Routing: Using the same frontname for admin and frontend routes

Magento Routing: Using the same frontname for admin and frontend routes

by Robo

A short bio about Robo

Magento Routing: Using the same frontname for admin and frontend routes

I recently noticed an issue with a module, Devinc_Dailydeal, where one of it's pages was redirecting to the same page under the base URL of the admin store. For example, I would visit http://www.myfrontend.com/mymodule and get redirected to https://www.myadmin.com/mymodule.

I looked into the module's config.xml file to check the defined routes. I noticed that there was a route defined under the "frontend" node as well as a route defined under the "admin" node with the frontname "dailydeal".

  1. # File: app/code/community/Devinc/Dailydeal/etc/config.xml
  2. <?xml version="1.0"?>
  3. <config>
  4.     ...
  5.     <frontend>
  6.         <routers>
  7.             <dailydeal>
  8.                <use>standard</use>
  9.                <args>
  10.                    <module>Devinc_Dailydeal</module>
  11.                    <frontName>dailydeal</frontName>
  12.                </args>
  13.            </dailydeal>
  14.        </routers>
  15.     </frontend>
  16.     ...
  17.     <admin>
  18.         <routers>
  19.             <dailydeal>
  20.                  <use>admin</use>
  21.                  <args>
  22.                      <module>Devinc_Dailydeal</module>
  23.                      <frontName>dailydeal</frontName>
  24.                  </args>
  25.              </dailydeal>
  26.         </routers>
  27.     </admin>
  28.     ...
  29. </config>

At first glance, this seemed ok since they are using separate routers. Closer inspection revealed that the Admin router will always be matched first. Routers are processed in a stack on every request. The default routers are Admin, Standard, Cms, then Default. (For more info on Magento's routers, check Alan Storm's blog post). This means that the Admin router runs on every page, not just pages starting with "admin". The Admin router runs first and hits a match first on "dailydeal". It does not know that "dailydeal" has also been specified as a frontname for the Standard router. It just knows that it has found a match and proceeds to route it.

While the Admin router is routing the request, it checks if the URL should be secure. This checks against the Admin store's settings, not the frontend store. If the Admin is set to use secure pages and the admin secure base URL is https and is different from the current URL, a redirect will be issued. This is correct behavior but can cause a lot of confusion.

I looked into a number of other third party modules we have used and noticed a significant number of them use the same frontname for the Standard router and the Admin router. This means that under this set of circumstances, these will all break. In all likelyhood, these modules were never tested in a multi store setup with SSL implemented and never will be.

This behavior only occurs if:

The frontend base URL is different from the admin base URL (If not, it will just redirect to https, which probably won't cause any issues other than possibly broken SSL)
The admin is set to use secure URLs
The secure URL for the admin is actually secure (starts with https)
No redirect is issued if the admin is not set to use secure URLs, even if the base URL is different. This seems like a logic error to me, but we'll leave that be.

The Fix:

Beware, there is a lot of work to be done here and a lot of updates made to third party code, which is sub-optimal. Only do this if your site meets the aforementioned conditions and you are seeing this issue.

There is no simple solution to this. You cannot just change the frontname of the admin route. You must also change the route name. This is because Magento expects both route frontnames and route names to be unique across all routers. Specifically, Mage_Core_Model_Url::getUrl() eventually calls a method on the front controller which retreives the router from the route name, which must be unique or there will be conflicts.

  1. # File: app/code/core/Mage/Core/Controller/Varien/Front.php
  2. publicfunction getRouterByRoute($routeName)
  3. {
  4.     // empty route supplied - return base url
  5.     if(empty($routeName)){
  6.         $router=$this->getRouter('standard');
  7.     }elseif($this->getRouter('admin')->getFrontNameByRoute($routeName)){
  8.         // try standard router url assembly
  9.         $router=$this->getRouter('admin');
  10.     }elseif($this->getRouter('standard')->getFrontNameByRoute($routeName)){
  11.         // try standard router url assembly
  12.         $router=$this->getRouter('standard');
  13.     }elseif($router=$this->getRouter($routeName)){
  14.         // try custom router url assembly
  15.     }else{
  16.         // get default router url
  17.         $router=$this->getRouter('default');
  18.     }
  19.  
  20.     return$router;
  21. }

Here, if the Admin router and the Standard router both have a "dailydeal" route defined, the Admin router will always win, even on frontend pages. Could this be any more convoluted Magento?

Once you change the route name, you will also have to update the layout handles in the adminhtml layout file to match, since they are prefixed with the route name. If you are going to do all of this, why not just fix it correctly...

So here's how to fix it.

Replace the admin route with an injection of your module into the existing adminhtml route.

  1. # File: app/code/community/Devinc/Dailydeal/etc/config.xml
  2. <admin>
  3.     <routers>
  4.         <dailydeal>
  5.             <use>admin</use>
  6.             <args>
  7.                 <module>Devinc_Dailydeal</module>
  8.                 <frontName>dailydeal</frontName>
  9.             </args>
  10.         </dailydeal>
  11.     </routers>
  12. </admin>

Becomes:

  1. <admin>
  2.     <routers>
  3.         <adminhtml>
  4.             <args>
  5.                 <modules>
  6.                     <Devinc_Dailydeal_Adminhtml before="Mage_Adminhtml">Devinc_Dailydeal_Adminhtml</Devinc_Dailydeal_Adminhtml>
  7.                 </modules>
  8.             </args>
  9.         </adminhtml>
  10.     </routers>
  11. </admin>

Update the adminhtml menu actions:

  1. # File: app/code/community/Devinc/Dailydeal/etc/config.xml
  2. <adminhtml>
  3.     <menu>
  4.         <dailydeal module="dailydeal">
  5.              <title>Daily Deal</title>
  6.              <sort_order>71</sort_order>
  7.              <children>
  8.                  <add module="dailydeal">
  9.                      <title>Add Deal</title>
  10.                      <sort_order>0</sort_order>
  11.                      <action>dailydeal/adminhtml_dailydeal/new/</action>
  12.                 </add>
  13.                 ...
  14.             </children>
  15.         </dailydeal>
  16.     </menu>
  17. </adminhtml>

Becomes:

  1. <adminhtml>
  2.     <menu>
  3.         <dailydeal module="dailydeal">
  4.             <title>Daily Deal</title>
  5.             <sort_order>71</sort_order>
  6.             <children>
  7.                 <add module="dailydeal">
  8.                     <title>Add Deal</title>
  9.                     <sort_order>0</sort_order>
  10.                     <action>adminhtml/dailydeal/new/</action>
  11.                 </add>
  12.                 ...
  13.             </children>
  14.         </dailydeal>
  15.     </menu>
  16. </adminhtml>

Replace the adminhtml layout handles:

  1. # File: app/design/frontend/default/default/layout/dailydeal.xml
  2. <dailydeal_adminhtml_dailydeal_index>
  3.     <reference name="content">
  4.         <block type="dailydeal/adminhtml_dailydeal" name="dailydeal"/>
  5.     </reference>
  6. </dailydeal_adminhtml_dailydeal_index>

Becomes:

  1. <adminhtml_dailydeal_index>
  2.     <reference name="content">
  3.         <block type="dailydeal/adminhtml_dailydeal" name="dailydeal"/>
  4.     </reference>
  5. </adminhtml_dailydeal_index>

When working in the admin, the url will now be https://www.myadmin.com/admin/dailydeal

This could mean that you need to make changes elsewhere if there are hardcoded URLs anywhere. I noticed that I had to hard set a form action in one of the modules I was working with.

What can be learned from this?

When writing a module, do not use the same frontname for the Standard and Admin routers. In fact, don't even create an admin router. All URLs in the admin should start with "/admin" (or whatever the admin frontname is configured to). This makes it clear and consistent to users that they are still in the admin.

Instead, inject controllers into the existing "adminhtml" route like this:

  1. <?xml version="1.0"?>
  2. <config>
  3.     ...
  4.     <admin>
  5.         <routers>
  6.             <adminhtml>
  7.                 <args>
  8.                     <modules>
  9.                         <MyNamespace_MyModule_Adminhtml before="Mage_Adminhtml">MyNamespace_MyModule_Adminhtml</MyNamespace_MyModule_Adminhtml>
  10.                     </modules>
  11.                 </args>
  12.             </adminhtml>
  13.         </routers>
  14.     </admin>
  15.     ...
  16. </config>

Then, create your admin controllers at MyNamespace/MyModule/controllers/Adminhtml.

The only caveat with doing this is that you must ensure you don't create any naming conflicts with other admin controllers in core or other third party code. Use a specific and unique controller class name to avoid this.