Are you running an online store with Prestashop? Or are you planning to launch your own digital business? Then you’re probably aware of an often underestimated element: permissions management. It’s a technical subject, but also a strategic one. But why? Because controlling who can do what on your store means securing your data, streamlining your operations and gaining peace of mind.
Let’s get to the heart of how Prestashop permissions work.
What are permissions in Prestashop?
Permissions are the access control system for your Prestashop back office. In other words, it’s what allows you to authorize or prohibit certain actions by your collaborators. Add a product, modify an order, access statistics… All these actions can be restricted according to the role of each user.
Prestashop works with a logic of user profiles. Each profile is associated with a set of permissions. It’s a bit like digital keys. You decide who has the right to open which door.
Why is this crucial? Because in e-commerce, human error and security breaches can be very costly. One wrong click, too much access to a temporary employee, and you end up with a disfigured site, an altered database, or worse: a security breach.
The different types of permissions in Prestashop
Profile permissions
This is the first layer of security. Each user of your store has a profile. This profile determines their access rights.
Default profiles
Prestashop offers several ready-to-use profiles:
- SuperAdmin: all rights, no restrictions.
- Admin: extended but modifiable access.
- Logistician, Accountant, Order Picker: specialized profiles, each with rights limited to their function.
Assigning permissions
You can create your own profiles. You define what each profile can do on a module-by-module basis. For example, you could allow your accountant to access invoices but not product sheets. To do this, go to the Advanced Settings menu > Team > Profiles. You can then configure permissions via a very precise grid. Check or uncheck the possible actions: View, Add, Modify, Delete.
Two concrete examples
You need to outsource your customer service. Create an “After-Sales Service” profile (for example) with access only to orders, customer messages and returns.
You hire a freelance developer. Limit his access to the theme module and FTP, but block everything else. The more restricted the access, the lower the risk.
File permissions
Another often overlooked aspect concerns file permissions on the server. Here, it’s no longer a question of back-office access, but of what each Prestashop script can or cannot do.
Definition
On a server, every file or folder has a permission code, usually 755, 644… These numbers define who can read, write or execute a file.
Recommended configuration
- PHP files: 644 (the owner can modify the file, all other users can only read it).
- Folders: 755 (the owner can edit and run scripts in the folder, all other users can only read and run files).
- config/settings.inc.php : 444 (read-only after installation)
You can change these permissions via an FTP client (such as FileZilla) or SSH. A wrong configuration here, and you open the door to malicious injections.
Best practices
- Never give permissions to 777 (full access).
- Restrict write access to strictly necessary folders (such as /img, /cache, /log).
- Make regular backups before making any changes.
Managing permissions in the Prestashop back office
Access to permissions management
Everything takes place in the Advanced Settings menu > Team. Here you manage employee accounts, profiles and permissions. The interface is simple yet powerful.
Modify or create customized profiles
Never let several users use the same account. Create a dedicated account for each person, even temporarily.
Steps to modify a profile :
- Go to the Profiles tab.
- Select the profile to be edited.
- Click on Permissions.
- Check/uncheck module-by-module rights.
Prestashop lists all installed modules (order, customer, catalog, etc.) with the four types of permissions.
Always limit the “Delete” permission. It’s the one that can cause the most damage.
Create a customized profile
As your company evolves, so do your teams. So you need to adapt your profiles to your organization: marketing, logistics, technical. This gives you greater clarity and security.
Safety and best practices
The principle of least privilege
Give each user as few rights as possible. This is the fundamental principle of computer security. The more access a person has, the more damage they can cause, intentionally or otherwise.
Carry out regular audits
If you’re hiring new people or changing service providers, you’ll need to carry out an audit. Remove unused accounts. Reduce unnecessary access. Analyze logs if necessary. Your back office is not a public square.
Add-on modules
Some Prestashop modules, such as :
- “Employee Advanced Permissions: allows you to restrict access to specific parts even within the same module.
- “Restrict Order Status Bases on Employees”: offers granular options, very useful in large structures.
These tools are not free, but they are very cost-effective if you manage a large team or several stores, as they simplify permissions management.
A few concrete examples
- The trainee who unwittingly modifies a price: you only gave him access to the customer module… but he also had the right to modify the products.
- The freelancer who leaves a loophole: full FTP access given to an external developer… who forgets to close a door.
- The former employee still active: a lingering account, still active after a departure.
Each scenario could have been avoided with proper permissions management.
To conclude on Prestashop permissions
Prestashop is a powerful tool. But when poorly configured, it becomes vulnerable. Careful, rigorous permissions management is a must. It’s a shield, a management tool, but also a performance factor.
It’s important to ask yourself the right questions:
- Who has access to what?
- Why is this access open?
- Is it still justified?
Optimizing permissions protects your business, your customers and your sales. Take the time to do it right to protect your business.
Don’t hesitate to contact me if you need help auditing or configuring your Prestashop permissions. I’ll work with you to optimize your site’s permissions and help you learn best practices.
