AC-9924 AC-11581 AC-12392 improve ACL check

Author: tranthienbinh1989

app/code/Magento/Backend/Controller/Adminhtml/System/Design.php

@@ -14,7 +14,7 @@ abstract class Design extends Action
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Backend::design';
+    const ADMIN_RESOURCE = 'Magento_Backend::schedule';
 
     /**
      * Core registry

app/code/Magento/Quote/etc/webapi.xml

@@ -13,6 +13,7 @@
         <service class="Magento\Quote\Api\CartRepositoryInterface" method="get"/>
         <resources>
             <resource ref="Magento_Cart::manage" />
+            <resource ref="Magento_Customer::customer" />
         </resources>
     </route>
     <route url="/V1/carts/search" method="GET">

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Cancel.php

@@ -8,6 +8,13 @@
 
 class Cancel extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Cancel invoice action
      *

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Capture.php

@@ -8,6 +8,13 @@
 
 class Capture extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Capture invoice action
      *

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/NewAction.php

@@ -23,7 +23,7 @@ class NewAction extends \Magento\Backend\App\Action implements HttpGetActionInte
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_invoice';
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
 
     /**
      * @var Registry

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Save.php

@@ -30,7 +30,7 @@ class Save extends \Magento\Backend\App\Action implements HttpPostActionInterfac
      *
      * @see _isAllowed()
      */
-    public const ADMIN_RESOURCE = 'Magento_Sales::sales_invoice';
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
 
     /**
      * @var InvoiceSender

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Start.php

@@ -10,6 +10,13 @@
 
 class Start extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View implements HttpGetActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Start create invoice action
      *

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/UpdateQty.php

@@ -23,6 +23,13 @@
  */
 class UpdateQty extends AbstractView implements HttpPostActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * @var JsonFactory
      */

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/VoidAction.php

@@ -8,6 +8,13 @@
 
 class VoidAction extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Void invoice action
      *