OCT 30 2015

Pages and emails broken after SUPEE-6788 patch to Magento

Problem description

Some blocks are not shown on CMS pages, home page, category pages, landing pages in your Magento installation after installing SUPEE-6788 patch, page layout is broken. Some transactional emails, order notification emails are broken, incomplete or have some data missing after installing SUPEE-6788 patch.


SUPEE-6788 patch introduced new permissions for usage of blocks and core variables on CMS pages and inside templates or extensions. By default, only two blocks (core/template and catalog/product_new) are allowed for inclusion. All other blocks should be whitelisted in blocks permission table.


  • in Backend navigate to CMS > Pages or CMS > Static Blocks or System > Transactional Emails and check the page or block or transactional email affected
  • when checking page or template content make sure to Hide Editor to see it in a plain code
  • check for elements similar to  {{block type="cms/block"}} or {{var custom.variable}}and record all used entries
  • navigate to System > Permissions > Blocks and add all blocks collected at previous step:
    Adding new block to permission table after SUPEE-6788
    Adding new block to permission table after SUPEE-6788
  • the following blocks are used often:
    • cms/block
    • catalog/product_list
    • catalog/navigation
    • featuredproducts/listing
  • repeat the same steps for variables at System > Permissions > Variables
  • Flush Magento cache
  If you have any difficulties with fixing this, please let us know in comments, so we can find the solution together.  

Posted in: Troubleshooting

Pages and emails broken after SUPEE-6788 patch to Magento
71 votes, 4.83 avg. rating (96% score)
  • Shankar

    After install SUPEE-6788 patch, I am getting blank page on System > Permissions > Blocks
    also, in home page, featured products, new products bloc are not working.

    • magentary

      Most likely the update was not finished as caches (Magento, Compiler, APC, XCache etc.) were not flushed after patch installation.

      • Shankar

        Thanks for the reply. I have tested with your Patch Tester. Its saying “Safe, patch applied.” How can I fix the issue?

        • Juanjo

          I have the same problem, I can not access blocks or variables, I get a blank page, I cleaned the cache, but always blank page

          • Vikrant

            Were you able to solve this?

  • owenpiccirillo

    I see in the transaction emails this: {{var store.getFrontendName()}

    in the permissions area for variables there is a list like so: “trans_email/ident_support/name”

    How do I add the add new variables now? Would I just put: “store.getFrontend()”

    Do I leave in the “( )”, so I leave in the var in the beginning?

    • MirceaT

      Can anyone help with this enquiry?

    • Joe

      Has anyone got an answer for this yet?

  • Faye Pinner


    I have started uploading the security patch via FTP.

    However one particular file Filter.php (file path [app/code/core/Mage/Core/Model/Email/Template/Filter.php])

    Is interfering with the CMS blocks on the homepage, and making them not appear.

    I found this article and tried to follow the steps.

    However I cannot find anything similar to your description within the particular CMS’s code.

    Also when I follow System > Permissions > Blocks

    I am presented with an error screen I have attached a screen shot of the screen.

    What should I do from here?

    • Sandro

      exactly same problem here.

      Edit: now, solved. The Update-SQL-Script had the wrong permission. Magento have to execute the script, with manual upload the script had the wrong permissions. now everything is fine.

      • Faye Pinner

        Thanks so much for letting my know.

        I was now able to fix this issue.

      • Vikrant

        Do we need to reinstall via ssh to solve it? How did you solve it?

      • eric

        How do you change that permission? please

  • Justin Marshall

    The added variables to the permissions > blocks area fixed our desktop site but not our mobile site – even though they are both calling catalog/nvaigation. Any ideas?

  • Cecilia Castelari

    I am getting blank page on System > Permissions > Blocks
    also, in home page, featured products, new products bloc are not working. {{block type=”catalog/product_list”
    category_id=”46″ template=”catalog/product/list.phtml”}} my magento is any help me??

  • http://www.indiobailbonds.com/ Indio John

    I have a issue. I don’t know how but there are about 12 to 15 cms home pages are created at my admin panel. I don’t know how they created. And the new home pages have listed all the emails of my customers at their content area. Can anyone help?

  • Hildegunst von Mythenmetz

    --- app/code/core/Mage/Core/Model/Email/Template/Filter.php.orig 2016-01-27 12:04:58.663968898 +0100
    +++ app/code/core/Mage/Core/Model/Email/Template/Filter.php 2016-01-27 12:06:00.900586950 +0100
    @@ -174,7 +174,7 @@
    $block = null;

    if (isset($blockParameters['type'])) {
    - if ($this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
    + if (true or $this->_permissionBlock->isTypeAllowed($blockParameters['type'])) {
    $type = $blockParameters['type'];
    $block = $layout->createBlock($type, null, $blockParameters);
    } else {
    Yes I know: Don’t mess with the core! Please don’t hit me for that. :-D

  • mohammed

    thanks for the help…seems to have worked for me.

  • Ranjit


    I have added blocks to white list but still it does not showing in front end

  • Chris

    I get the following when i goto permissions > blocks

    There has been an error processing your request

    Item (Mage_Admin_Model_Block) with the same id “1” already exist

    Could anyone shed some light for me?

  • Vidyasagar Kushwaha

    I followed the above steps but I am still getting the error Can’t retrieve entity config: admin/permission_variable and Can’t retrieve entity config: admin/permission_block. When I check in admin and database. Above said variables and block in database.