Magento CE patch SUPEE-6788 – Custom Blocks Issue

Issue description: After installing Magento CE security patch SUPEE-6788, some of custom blocks on the front page have disappeared.

The reason is simple:

With the latest security patch, Magento has added new restrictions in the blockDirective method in the Mage_Core_Model_Email_Template_Filter class to now check to see if the block type that needs to be displayed is allowed inside a new database table called permission_block.

For example, in your CMS home page we could have defined a block like this:

{{block type="pinpointdesigns/new_products" name="new.products" 

and the new code inside Mage_Core_Model_Email_Template_Filter class will check to see if this block exists in the permission_block table.

Since this is custom block type, it does not exists in permission_block yet and therefore will not be displayed.

In order to resolve this properly, we need to:

1. Determine which custom blocks we are using through the cms {{block}} directive on our site.

2. Navigate to the new interface for the management of allowed blocks: System > Permissions > Blocks and add the block type as allowed.

To manually check all the custom blocks which exist on your store which should be allowed could be real challenge especially if we are running a site where many custom blocks are used.

To make life a little bit easier, we can do following:



in a text editor and search for

public function blockDirective

It should be located around line 169.

Add the line 

Mage::log($blockParameters['type'], null, 'blocks_used.log', true);

 in there to log all blocks that Magento is checking:

// ...

/* Mage_Core_Model_Email_Template_Filter */

public function blockDirective($construction)
   $skipParams = array('type', 'id', 'output');
   $blockParameters = $this->_getIncludeParameters($construction[2]);
   $layout = Mage::app()->getLayout();

   if (isset($blockParameters['type'])) {

      Mage::log($blockParameters['type'], null, 'blocks_used.log', true);

      if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
         $type = $blockParameters['type'];
         $block = $layout->createBlock($type, null, $blockParameters);
    } elseif (isset($blockParameters['id'])) {
         $block = $layout->createBlock('cms/block');
         if ($block) {

// ...

Now, we just need to visit all possible pages on site and block types will be logged inside var/log folder.

Once this has been done, we can just copy them and add to allowed block types.

We can see that the same logic is applied for variables, so if some of your variables are not rendering fine after installing the SUPEE-6788 patch, the same method could be applied.

Please note: It is not considered good practice to edit core files in Magento, so please remember to revert the above change once completed.