Magento is an opensource e-Commerce web application trusted by the world's leading brands. Magento has become a popular choice in the last few years because of all the choices and features it gives while developing an ecommerce website. If you or a 3rd party developer needs to access your Magento powered ecommerce store, then you’ll want to do so via the built-in API. Granting access to the Magento API is a fairly simple task. Giving a Role custom or full access is done under Web Services > Roles. Choose your Role, then select the Role Resources tab. From this screen you can set the access that this particular Role has.

While creating a Role and giving access to the Catalog section I noticed that the Role Resources were never updating, no matter if I gave full or custom permissions. The version of Magento was 1.6.2 (latest at the time of development). There is apparently a bug with the code that affects 1.6.X versions of Magento Community Edition (CE).

The fix is fairly simple and requires a small code adjustment on the core code. Generally, it’s best to copy over the core code you are editing to a local version as your edits will get overwritten if you update the core code. But, since we know that this has been patched in 1.7, it’s best to let Magento overwrite it when we do upgrade.

Below is the code edit: Inside app/code/core/Mage/AdminHtml/Block/Api/Tab/RolesEdit.php we will look inside the constructor for a function call to getPermission.

The old line of code should be:

if (array_key_exists(strtolower($item->getResource_id()), $resources) && $item->getPermission() == 'allow')

The new line of code should be:

if (array_key_exists(strtolower($item->getResource_id()), $resources) && $item->getApiPermission() == 'allow')

This's all step fixed the issue for others running 1.6.X and not being able to edit an API User’s Role Resouces.