Merge pull request #9020 from magento-cia/cia-2.4.8-beta1-develop-bugfix-06202024

Cia 2.4.8 beta1 develop bugfix 06202024

Author: pawan-adobe-security

app/code/Magento/Newsletter/Controller/Adminhtml/Queue.php

@@ -18,5 +18,16 @@ abstract class Queue extends \Magento\Backend\App\Action
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Newsletter::queue';
+    public const ADMIN_RESOURCE = 'Magento_Newsletter::queue';
+
+    /**
+     * Checks the acl permission
+     *
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return ($this->_authorization->isAllowed(self::ADMIN_RESOURCE) &&
+            $this->_authorization->isAllowed('Magento_Newsletter::template'));
+    }
 }

app/code/Magento/Sales/Block/Adminhtml/Order/View.php

@@ -16,29 +16,21 @@
 class View extends \Magento\Backend\Block\Widget\Form\Container
 {
     /**
-     * Block group
-     *
      * @var string
      */
     protected $_blockGroup = 'Magento_Sales';
 
     /**
-     * Core registry
-     *
      * @var \Magento\Framework\Registry
      */
     protected $_coreRegistry = null;
 
     /**
-     * Sales config
-     *
      * @var \Magento\Sales\Model\Config
      */
     protected $_salesConfig;
 
     /**
-     * Reorder helper
-     *
      * @var \Magento\Sales\Helper\Reorder
      */
     protected $_reorderHelper;
@@ -121,7 +113,7 @@ protected function _construct()
             );
         }
 
-        if ($this->_isAllowedAction('Magento_Sales::emails') && !$order->isCanceled()) {
+        if ($this->_isAllowedAction('Magento_Sales::email') && !$order->isCanceled()) {
             $message = __('Are you sure you want to send an order email to customer?');
             $this->addButton(
                 'send_notification',

app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Cancel.php

@@ -6,15 +6,16 @@
 namespace Magento\Sales\Controller\Adminhtml\Order\Creditmemo;
 
 use Magento\Backend\App\Action;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
-class Cancel extends \Magento\Backend\App\Action
+class Cancel extends \Magento\Backend\App\Action implements HttpPostActionInterface
 {
     /**
      * Authorization level of a basic admin session
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Backend\Model\View\Result\ForwardFactory

app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/NewAction.php

@@ -15,7 +15,7 @@ class NewAction extends \Magento\Backend\App\Action implements HttpGetActionInte
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader

app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Save.php

@@ -18,7 +18,7 @@ class Save extends \Magento\Backend\App\Action implements HttpPostActionInterfac
      *
      * @see _isAllowed()
      */
-    public const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader

app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Start.php

@@ -14,7 +14,7 @@ class Start extends \Magento\Backend\App\Action implements HttpGetActionInterfac
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * Start create creditmemo action

app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/UpdateQty.php

@@ -15,7 +15,7 @@ class UpdateQty extends \Magento\Backend\App\Action implements HttpPostActionInt
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader

app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/VoidAction.php

@@ -6,15 +6,16 @@
 namespace Magento\Sales\Controller\Adminhtml\Order\Creditmemo;
 
 use Magento\Backend\App\Action;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
-class VoidAction extends Action
+class VoidAction extends Action implements HttpPostActionInterface
 {
     /**
      * Authorization level of a basic admin session
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader

app/code/Magento/Sales/ViewModel/Order/Create/SidebarPermissionCheck.php

@@ -0,0 +1,42 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Sales\ViewModel\Order\Create;
+
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\View\Element\Block\ArgumentInterface;
+
+/**
+ * Sidebar block permission check
+ */
+class SidebarPermissionCheck implements ArgumentInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * Permissions constructor.
+     *
+     * @param AuthorizationInterface $authorization
+     */
+    public function __construct(AuthorizationInterface $authorization)
+    {
+        $this->authorization = $authorization;
+    }
+
+    /**
+     * To check customer permission
+     *
+     * @return bool
+     */
+    public function isAllowed(): bool
+    {
+        return $this->authorization->isAllowed('Magento_Customer::customer');
+    }
+}

app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_index.xml

@@ -36,6 +36,9 @@
                     </block>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Data" template="Magento_Sales::order/create/data.phtml" name="data">
                         <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar" template="Magento_Sales::order/create/sidebar.phtml" name="sidebar">
+                            <arguments>
+                                <argument name="sideBarPermissionCheck" xsi:type="object">Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck</argument>
+                            </arguments>
                             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Cart" template="Magento_Sales::order/create/sidebar/items.phtml" name="cart"/>
                             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Wishlist" template="Magento_Sales::order/create/sidebar/items.phtml" name="wishlist"/>
                             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Reorder" template="Magento_Sales::order/create/sidebar/items.phtml" name="reorder"/>

app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_load_block_data.xml

@@ -11,6 +11,9 @@
         <referenceContainer name="content">
             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Data" template="Magento_Sales::order/create/data.phtml" name="data">
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar" template="Magento_Sales::order/create/sidebar.phtml" name="sidebar">
+                    <arguments>
+                        <argument name="sideBarPermissionCheck" xsi:type="object">Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck</argument>
+                    </arguments>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Cart" template="Magento_Sales::order/create/sidebar/items.phtml" name="cart"/>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Wishlist" template="Magento_Sales::order/create/sidebar/items.phtml" name="wishlist"/>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Reorder" template="Magento_Sales::order/create/sidebar/items.phtml" name="reorder"/>

app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_load_block_sidebar.xml

@@ -9,6 +9,9 @@
     <body>
         <referenceContainer name="content">
             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar" template="Magento_Sales::order/create/sidebar.phtml" name="sidebar">
+                <arguments>
+                    <argument name="sideBarPermissionCheck" xsi:type="object">Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck</argument>
+                </arguments>
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Cart" template="Magento_Sales::order/create/sidebar/items.phtml" name="cart"/>
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Wishlist" template="Magento_Sales::order/create/sidebar/items.phtml" name="wishlist"/>
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Reorder" template="Magento_Sales::order/create/sidebar/items.phtml" name="reorder"/>

app/code/Magento/Sales/view/adminhtml/templates/order/create/sidebar.phtml

@@ -4,19 +4,32 @@
  * See COPYING.txt for license details.
  */
 
+use Magento\Framework\Escaper;
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+use Magento\Sales\Block\Adminhtml\Order\Create\Sidebar;
+use Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck;
+
 /**
- * @var \Magento\Sales\Block\Adminhtml\Order\Create\Sidebar $block
- * @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
+ * @var Sidebar $block
+ * @var SecureHtmlRenderer $secureRenderer
+ * @var Escaper $escaper
  */
+
+/**
+ * @var SidebarPermissionCheck $sideBarPermissionCheck
+ */
+$sideBarPermissionCheck = $block->getData('sideBarPermissionCheck');
+
 ?>
+<?php  if ($sideBarPermissionCheck->isAllowed()): ?>
 <div class="customer-current-activity-inner">
-    <h4 class="customer-activity-title"><?= $block->escapeHtml(__('Customer\'s Activities')) ?></h4>
+    <h4 class="customer-activity-title"><?= $escaper->escapeHtml(__('Customer\'s Activities')) ?></h4>
     <div class="create-order-sidebar-container">
     <?= $block->getChildHtml('top_button') ?>
     <?php foreach ($block->getLayout()->getChildBlocks($block->getNameInLayout()) as $_alias => $_child): ?>
         <?php if ($_alias != 'top_button' && $_alias != 'bottom_button'): ?>
             <?php if ($block->canDisplay($_child)): ?>
-                <div class="order-sidebar-block" id="order-sidebar_<?= $block->escapeHtmlAttr($_alias) ?>">
+                <div class="order-sidebar-block" id="order-sidebar_<?= $escaper->escapeHtmlAttr($_alias) ?>">
                     <?= $block->getChildHtml($_alias) ?>
                 </div>
             <?php endif; ?>
@@ -25,6 +38,7 @@
     <?= $block->getChildHtml('bottom_button') ?>
     </div>
 </div>
+<?php endif; ?>
 <?php $scriptString = <<<script
 require([
     "prototype",

app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/NewAction.php

@@ -17,7 +17,7 @@ class NewAction extends \Magento\Backend\App\Action implements HttpGetActionInte
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::shipment';
+    public const ADMIN_RESOURCE = 'Magento_Sales::ship';
 
     /**
      * @var \Magento\Shipping\Controller\Adminhtml\Order\ShipmentLoader

app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Save.php

@@ -22,7 +22,7 @@ class Save extends \Magento\Backend\App\Action implements HttpPostActionInterfac
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::shipment';
+    public const ADMIN_RESOURCE = 'Magento_Sales::ship';
 
     /**
      * @var \Magento\Shipping\Controller\Adminhtml\Order\ShipmentLoader

app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Start.php

@@ -15,7 +15,7 @@ class Start extends \Magento\Backend\App\Action implements HttpGetActionInterfac
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::shipment';
+    public const ADMIN_RESOURCE = 'Magento_Sales::ship';
 
     /**
      * Start create shipment action

app/code/Magento/Shipping/etc/acl.xml

@@ -13,7 +13,7 @@
                     <resource id="Magento_Backend::stores_settings">
                         <resource id="Magento_Config::config">
                             <resource id="Magento_Shipping::config_shipping" title="Shipping Settings Section" translate="title" sortOrder="5" />
-                            <resource id="Magento_Shipping::shipping_policy" title="Shipping Policy Parameters Section" translate="title" sortOrder="5" />
+                            <resource id="Magento_Shipping::shipping_policy" title="Shipping Policy Parameters Section" translate="title" sortOrder="5" disabled="true" />
                             <resource id="Magento_Shipping::carriers" title="Delivery Methods Section" translate="title" sortOrder="5" />
                         </resource>
                     </resource>

dev/tests/integration/testsuite/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/SaveTest.php

@@ -21,6 +21,11 @@
  */
 class SaveTest extends AbstractCreditmemoControllerTest
 {
+    /**
+     * @var string
+     */
+    protected $resource = 'Magento_Sales::creditmemo';
+
     /**
      * @var string
      */

dev/tests/integration/testsuite/Magento/Shipping/Controller/Adminhtml/Order/Shipment/SaveTest.php

@@ -18,6 +18,11 @@
  */
 class SaveTest extends AbstractShipmentControllerTest
 {
+    /**
+     * @var string
+     */
+    protected $resource = 'Magento_Sales::ship';
+
     /**
      * @var string
      */
@@ -105,8 +110,7 @@ private function prepareRequest(array $params = [])
             ]
         );
 
-        $data = $params ?? [];
-        $this->getRequest()->setPostValue($data);
+        $this->getRequest()->setPostValue($params);
 
         return $order;
     }