merge magento/2.3.6-develop into magento-borg/MC-34648

Author: magento-mts-svc

app/code/Magento/Authorization/Model/ResourceModel/Role.php

@@ -119,6 +119,8 @@ protected function _afterDelete(\Magento\Framework\Model\AbstractModel $role)
 
         $connection->delete($this->_ruleTable, ['role_id = ?' => (int)$role->getId()]);
 
+        $this->_cache->clean(\Zend_Cache::CLEANING_MODE_MATCHING_TAG, [\Magento\Backend\Block\Menu::CACHE_TAGS]);
+
         return $this;
     }
 

app/code/Magento/Authorization/Model/Role.php

@@ -33,6 +33,11 @@ class Role extends \Magento\Framework\Model\AbstractModel
      */
     protected $_eventPrefix = 'authorization_roles';
 
+    /**
+     * @var string
+     */
+    protected $_cacheTag = 'user_assigned_role';
+
     /**
      * @param \Magento\Framework\Model\Context $context
      * @param \Magento\Framework\Registry $registry

app/code/Magento/Backend/App/AbstractAction.php

@@ -5,9 +5,12 @@
  */
 namespace Magento\Backend\App;
 
+use Magento\Framework\Encryption\Helper\Security;
+
 /**
  * Generic backend controller
  *
+ * phpcs:disable Magento2.Classes.AbstractApi
  * @api
  * @SuppressWarnings(PHPMD.NumberOfChildren)
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -101,6 +104,8 @@ public function __construct(Action\Context $context)
     }
 
     /**
+     * Checking if the user has access to requested component.
+     *
      * @return bool
      */
     protected function _isAllowed()
@@ -119,6 +124,8 @@ protected function _getSession()
     }
 
     /**
+     * Get message manager.
+     *
      * @return \Magento\Framework\Message\ManagerInterface
      */
     protected function getMessageManager()
@@ -146,6 +153,8 @@ protected function _setActiveMenu($itemId)
     }
 
     /**
+     * Prepare breadcrumbs.
+     *
      * @param string $label
      * @param string $title
      * @param string|null $link
@@ -158,6 +167,8 @@ protected function _addBreadcrumb($label, $title, $link = null)
     }
 
     /**
+     * Add content to specified block.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -167,6 +178,8 @@ protected function _addContent(\Magento\Framework\View\Element\AbstractBlock $bl
     }
 
     /**
+     * Move block to left container.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -176,6 +189,8 @@ protected function _addLeft(\Magento\Framework\View\Element\AbstractBlock $block
     }
 
     /**
+     * Add js to specified block.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -200,6 +215,8 @@ private function _moveBlockToContainer(\Magento\Framework\View\Element\AbstractB
     }
 
     /**
+     * Dispatch request.
+     *
      * @param \Magento\Framework\App\RequestInterface $request
      * @return \Magento\Framework\App\ResponseInterface
      */
@@ -286,8 +303,7 @@ public function _processUrlKeys()
     }
 
     /**
-     * Set session locale,
-     * process force locale set through url params
+     * Set session locale, process force locale set through url params.
      *
      * @return $this
      */
@@ -309,8 +325,8 @@ protected function _processLocaleSettings()
      * Set redirect into response
      *
      * @TODO MAGETWO-28356: Refactor controller actions to new ResultInterface
-     * @param   string $path
-     * @param   array $arguments
+     * @param string $path
+     * @param array $arguments
      * @return \Magento\Framework\App\ResponseInterface
      */
     protected function _redirect($path, $arguments = [])
@@ -333,7 +349,7 @@ protected function _redirect($path, $arguments = [])
     protected function _forward($action, $controller = null, $module = null, array $params = null)
     {
         $this->_getSession()->setIsUrlNotice($this->_actionFlag->get('', self::FLAG_IS_URLS_CHECKED));
-        return parent::_forward($action, $controller, $module, $params);
+        parent::_forward($action, $controller, $module, $params);
     }
 
     /**
@@ -360,7 +376,7 @@ protected function _validateSecretKey()
         }
 
         $secretKey = $this->getRequest()->getParam(\Magento\Backend\Model\UrlInterface::SECRET_KEY_PARAM_NAME, null);
-        if (!$secretKey || $secretKey != $this->_backendUrl->getSecretKey()) {
+        if (!$secretKey || !Security::compareStrings($secretKey, $this->_backendUrl->getSecretKey())) {
             return false;
         }
         return true;

app/code/Magento/Backend/Block/Widget/Grid/Export.php

@@ -9,6 +9,8 @@
 use Magento\Framework\App\Filesystem\DirectoryList;
 
 /**
+ * Class Export for exporting grid data as CSV file or MS Excel 2003 XML Document file
+ *
  * @api
  * @deprecated 100.2.0 in favour of UI component implementation
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -69,6 +71,8 @@ public function __construct(
     }
 
     /**
+     * Internal constructor, that is called from real constructor
+     *
      * @return void
      * @throws \Magento\Framework\Exception\LocalizedException
      */
@@ -242,6 +246,7 @@ protected function _getExportTotals()
 
     /**
      * Iterate collection and call callback method per item
+     *
      * For callback method first argument always is item object
      *
      * @param string $callback
@@ -273,7 +278,12 @@ public function _exportIterateCollection($callback, array $args)
 
             $collection = $this->_getRowCollection($originalCollection);
             foreach ($collection as $item) {
-                call_user_func_array([$this, $callback], array_merge([$item], $args));
+                //phpcs:ignore Magento2.Functions.DiscouragedFunction
+                call_user_func_array(
+                    [$this, $callback],
+                    // phpcs:ignore Magento2.Performance.ForeachArrayMerge
+                    array_merge([$item], $args)
+                );
             }
         }
     }
@@ -307,7 +317,7 @@ protected function _exportCsvItem(
      */
     public function getCsvFile()
     {
-        $name = md5(microtime());
+        $name = hash('sha256', microtime());
         $file = $this->_path . '/' . $name . '.csv';
 
         $this->_directory->create($this->_path);
@@ -432,11 +442,11 @@ public function getRowRecord(\Magento\Framework\DataObject $data)
      */
     public function getExcelFile($sheetName = '')
     {
-        $collection = $this->_getRowCollection();
+        $collection = $this->_getPreparedCollection();
 
         $convert = new \Magento\Framework\Convert\Excel($collection->getIterator(), [$this, 'getRowRecord']);
 
-        $name = md5(microtime());
+        $name = hash('sha256', microtime());
         $file = $this->_path . '/' . $name . '.xml';
 
         $this->_directory->create($this->_path);
@@ -551,6 +561,8 @@ public function _getPreparedCollection()
     }
 
     /**
+     * Get export page size
+     *
      * @return int
      */
     public function getExportPageSize()

app/code/Magento/Backend/Block/Widget/Grid/Extended.php

@@ -8,6 +8,8 @@
 use Magento\Framework\App\Filesystem\DirectoryList;
 
 /**
+ * Extended Grid Widget
+ *
  * @api
  * @deprecated 100.2.0 in favour of UI component implementation
  * @SuppressWarnings(PHPMD.ExcessivePublicCount)
@@ -177,7 +179,10 @@ class Extended extends \Magento\Backend\Block\Widget\Grid implements \Magento\Ba
     protected $_path = 'export';
 
     /**
+     * Initialization
+     *
      * @return void
+     * @throws \Magento\Framework\Exception\FileSystemException
      */
     protected function _construct()
     {
@@ -297,6 +302,7 @@ public function addColumn($columnId, $column)
             );
             $this->getColumnSet()->getChildBlock($columnId)->setGrid($this);
         } else {
+            // phpcs:ignore Magento2.Exceptions.DirectThrow
             throw new \Exception(__('Please correct the column format and try again.'));
         }
 
@@ -471,10 +477,6 @@ protected function _prepareMassactionColumn()
     protected function _prepareCollection()
     {
         if ($this->getCollection()) {
-            if ($this->getCollection()->isLoaded()) {
-                $this->getCollection()->clear();
-            }
-
             parent::_prepareCollection();
 
             if (!$this->_isExport) {
@@ -663,6 +665,7 @@ public function setEmptyCellLabel($label)
      */
     public function getRowUrl($item)
     {
+        // phpstan:ignore "Call to an undefined static method"
         $res = parent::getRowUrl($item);
         return $res ? $res : '#';
     }
@@ -680,6 +683,7 @@ public function getMultipleRows($item)
 
     /**
      * Retrieve columns for multiple rows
+     *
      * @return array
      */
     public function getMultipleRowColumns()
@@ -943,6 +947,7 @@ protected function _getExportTotals()
 
     /**
      * Iterate collection and call callback method per item
+     *
      * For callback method first argument always is item object
      *
      * @param string $callback
@@ -972,7 +977,12 @@ public function _exportIterateCollection($callback, array $args)
             $page++;
 
             foreach ($collection as $item) {
-                call_user_func_array([$this, $callback], array_merge([$item], $args));
+                //phpcs:ignore Magento2.Functions.DiscouragedFunction
+                call_user_func_array(
+                    [$this, $callback],
+                    // phpcs:ignore Magento2.Performance.ForeachArrayMerge
+                    array_merge([$item], $args)
+                );
             }
         }
     }
@@ -1009,6 +1019,7 @@ public function getCsvFile()
         $this->_isExport = true;
         $this->_prepareGrid();
 
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $name = md5(microtime());
         $file = $this->_path . '/' . $name . '.csv';
 
@@ -1153,6 +1164,7 @@ public function getExcelFile($sheetName = '')
             [$this, 'getRowRecord']
         );
 
+        // phpcs:ignore Magento2.Security.InsecureFunction
         $name = md5(microtime());
         $file = $this->_path . '/' . $name . '.xml';
 
@@ -1244,7 +1256,7 @@ public function setCollection($collection)
     }
 
     /**
-     * get collection object
+     * Get collection object
      *
      * @return \Magento\Framework\Data\Collection
      */

app/code/Magento/Backend/Model/Auth/Session.php

@@ -5,8 +5,10 @@
  */
 namespace Magento\Backend\Model\Auth;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
 use Magento\Framework\Stdlib\CookieManagerInterface;
+use Magento\Framework\Message\ManagerInterface;
 
 /**
  * Backend Auth session model
@@ -56,6 +58,11 @@ class Session extends \Magento\Framework\Session\SessionManager implements \Mage
      */
     protected $_config;
 
+    /**
+     * @var ManagerInterface
+     */
+    private $messageManager;
+
     /**
      * @param \Magento\Framework\App\Request\Http $request
      * @param \Magento\Framework\Session\SidResolverInterface $sidResolver
@@ -69,6 +76,7 @@ class Session extends \Magento\Framework\Session\SessionManager implements \Mage
      * @param \Magento\Framework\Acl\Builder $aclBuilder
      * @param \Magento\Backend\Model\UrlInterface $backendUrl
      * @param \Magento\Backend\App\ConfigInterface $config
+     * @param ManagerInterface $messageManager
      * @throws \Magento\Framework\Exception\SessionException
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -84,11 +92,13 @@ public function __construct(
         \Magento\Framework\App\State $appState,
         \Magento\Framework\Acl\Builder $aclBuilder,
         \Magento\Backend\Model\UrlInterface $backendUrl,
-        \Magento\Backend\App\ConfigInterface $config
+        \Magento\Backend\App\ConfigInterface $config,
+        ManagerInterface $messageManager = null
     ) {
         $this->_config = $config;
         $this->_aclBuilder = $aclBuilder;
         $this->_backendUrl = $backendUrl;
+        $this->messageManager = $messageManager ?? ObjectManager::getInstance()->get(ManagerInterface::class);
         parent::__construct(
             $request,
             $sidResolver,
@@ -171,6 +181,25 @@ public function isLoggedIn()
      */
     public function prolong()
     {
+        $sessionUser = $this->getUser();
+        $errorMessage = '';
+        if ($sessionUser !== null) {
+            if ((int)$sessionUser->getIsActive() !== 1) {
+                $errorMessage = 'The account sign-in was incorrect or your account is disabled temporarily. '
+                    . 'Please wait and try again later.';
+            }
+            if (!$sessionUser->hasAssigned2Role($sessionUser->getId())) {
+                $errorMessage = 'More permissions are needed to access this.';
+            }
+
+            if (!empty($errorMessage)) {
+                $this->destroy();
+                $this->messageManager->addErrorMessage(__($errorMessage));
+
+                return;
+            }
+        }
+
         $lifetime = $this->_config->getValue(self::XML_PATH_SESSION_LIFETIME);
         $cookieValue = $this->cookieManager->getCookie($this->getName());
 

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/ExtendedTest.php

@@ -32,8 +32,8 @@ public function testPrepareLoadedCollection()
         $layout->expects($this->any())->method('getBlock')->will($this->returnValue($columnSet));
 
         $collection = $this->createMock(\Magento\Framework\Data\Collection::class);
-        $collection->expects($this->atLeastOnce())->method('isLoaded')->will($this->returnValue(true));
-        $collection->expects($this->atLeastOnce())->method('clear');
+        $collection->expects($this->never())->method('isLoaded');
+        $collection->expects($this->never())->method('clear');
         $collection->expects($this->atLeastOnce())->method('load');
 
         /** @var \Magento\Backend\Block\Widget\Grid\Extended $block */