MAGETWO-99591: Restricted admin cannot edit reviews from pending reviews grid

Author: Mastiuhin Olexandr

app/code/Magento/Review/Block/Adminhtml/Edit.php

@@ -6,7 +6,7 @@
 namespace Magento\Review\Block\Adminhtml;
 
 /**
- * Review edit form
+ * Review edit form.
  */
 class Edit extends \Magento\Backend\Block\Widget\Form\Container
 {
@@ -77,7 +77,13 @@ protected function _construct()
                 'previous',
                 [
                     'label' => __('Previous'),
-                    'onclick' => 'setLocation(\'' . $this->getUrl('review/*/*', ['id' => $prevId]) . '\')'
+                    'onclick' => 'setLocation(\'' . $this->getUrl(
+                        'review/*/*',
+                        [
+                            'id' => $prevId,
+                            'ret' => $this->getRequest()->getParam('ret'),
+                        ]
+                    ) . '\')'
                 ],
                 3,
                 10
@@ -93,7 +99,10 @@ protected function _construct()
                             'button' => [
                                 'event' => 'save',
                                 'target' => '#edit_form',
-                                'eventData' => ['action' => ['args' => ['next_item' => $prevId]]],
+                                'eventData' => ['action' => ['args' => [
+                                    'next_item' => $prevId,
+                                    'ret' => $this->getRequest()->getParam('ret'),
+                                ]]],
                             ],
                         ],
                     ]
@@ -113,7 +122,10 @@ protected function _construct()
                             'button' => [
                                 'event' => 'save',
                                 'target' => '#edit_form',
-                                'eventData' => ['action' => ['args' => ['next_item' => $nextId]]],
+                                'eventData' => ['action' => ['args' => [
+                                    'next_item' => $nextId,
+                                    'ret' => $this->getRequest()->getParam('ret'),
+                                ]]],
                             ],
                         ],
                     ]
@@ -126,7 +138,13 @@ protected function _construct()
                 'next',
                 [
                     'label' => __('Next'),
-                    'onclick' => 'setLocation(\'' . $this->getUrl('review/*/*', ['id' => $nextId]) . '\')'
+                    'onclick' => 'setLocation(\'' . $this->getUrl(
+                        'review/*/*',
+                        [
+                            'id' => $nextId,
+                            'ret' => $this->getRequest()->getParam('ret'),
+                        ]
+                    ) . '\')'
                 ],
                 3,
                 105

app/code/Magento/Review/Controller/Adminhtml/Product.php

@@ -12,7 +12,7 @@
 use Magento\Review\Model\RatingFactory;
 
 /**
- * Reviews admin controller
+ * Reviews admin controller.
  */
 abstract class Product extends Action
 {
@@ -63,17 +63,10 @@ public function __construct(
     }
 
     /**
-     * @return bool
+     * @inheritdoc
      */
     protected function _isAllowed()
     {
-        switch ($this->getRequest()->getActionName()) {
-            case 'pending':
-                return $this->_authorization->isAllowed('Magento_Review::pending');
-                break;
-            default:
-                return $this->_authorization->isAllowed('Magento_Review::reviews_all');
-                break;
-        }
+        return $this->_authorization->isAllowed('Magento_Review::reviews_all');
     }
 }

app/code/Magento/Review/Controller/Adminhtml/Product/Delete.php

@@ -5,12 +5,25 @@
  */
 namespace Magento\Review\Controller\Adminhtml\Product;
 
+use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Review\Controller\Adminhtml\Product as ProductController;
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Review\Model\Review;
+use Magento\Framework\App\Action\HttpGetActionInterface;
 
-class Delete extends ProductController
+/**
+ * Delete action.
+ */
+class Delete extends ProductController implements HttpGetActionInterface, HttpPostActionInterface
 {
     /**
+     * @var Review
+     */
+    private $model;
+
+    /**
+     * Execute action.
+     *
      * @return \Magento\Backend\Model\View\Result\Redirect
      */
     public function execute()
@@ -19,7 +32,7 @@ public function execute()
         $resultRedirect = $this->resultFactory->create(ResultFactory::TYPE_REDIRECT);
         $reviewId = $this->getRequest()->getParam('id', false);
         try {
-            $this->reviewFactory->create()->setId($reviewId)->aggregate()->delete();
+            $this->getModel()->aggregate()->delete();
 
             $this->messageManager->addSuccess(__('The review has been deleted.'));
             if ($this->getRequest()->getParam('ret') == 'pending') {
@@ -36,4 +49,43 @@ public function execute()
 
         return $resultRedirect->setPath('review/*/edit/', ['id' => $reviewId]);
     }
+
+    /**
+     * @inheritdoc
+     */
+    protected function _isAllowed()
+    {
+        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
+            return true;
+        }
+
+        if (!$this->_authorization->isAllowed('Magento_Review::pending')) {
+            return  false;
+        }
+
+        if ($this->getModel()->getStatusId() != Review::STATUS_PENDING) {
+            $this->messageManager->addErrorMessage(
+                __('Sorry, You have not permission to do this. The Review is not in Pending status.')
+            );
+
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Returns requested model.
+     *
+     * @return Review
+     */
+    private function getModel(): Review
+    {
+        if (!$this->model) {
+            $this->model = $this->reviewFactory->create()
+                ->load($this->getRequest()->getParam('id', false));
+        }
+
+        return $this->model;
+    }
 }

app/code/Magento/Review/Controller/Adminhtml/Product/Edit.php

@@ -8,10 +8,21 @@
 use Magento\Framework\App\Action\HttpGetActionInterface as HttpGetActionInterface;
 use Magento\Review\Controller\Adminhtml\Product as ProductController;
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Review\Model\Review;
 
+/**
+ * Edit action.
+ */
 class Edit extends ProductController implements HttpGetActionInterface
 {
     /**
+     * @var Review
+     */
+    private $review;
+
+    /**
+     * Execute action.
+     *
      * @return \Magento\Backend\Model\View\Result\Page
      */
     public function execute()
@@ -24,4 +35,43 @@ public function execute()
         $resultPage->addContent($resultPage->getLayout()->createBlock(\Magento\Review\Block\Adminhtml\Edit::class));
         return $resultPage;
     }
+
+    /**
+     * @inheritdoc
+     */
+    protected function _isAllowed()
+    {
+        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
+            return true;
+        }
+
+        if (!$this->_authorization->isAllowed('Magento_Review::pending')) {
+            return  false;
+        }
+
+        if ($this->getModel()->getStatusId() != Review::STATUS_PENDING) {
+            $this->messageManager->addErrorMessage(
+                __('Sorry, You have not permission to do this. The Review is not in Pending status.')
+            );
+
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Returns requested model.
+     *
+     * @return Review
+     */
+    private function getModel(): Review
+    {
+        if (!$this->review) {
+            $this->review = $this->reviewFactory->create()
+                ->load($this->getRequest()->getParam('id', false));
+        }
+
+        return $this->review;
+    }
 }

app/code/Magento/Review/Controller/Adminhtml/Product/MassDelete.php

@@ -5,13 +5,54 @@
  */
 namespace Magento\Review\Controller\Adminhtml\Product;
 
+use Magento\Backend\App\Action\Context;
+use Magento\Framework\Registry;
 use Magento\Review\Controller\Adminhtml\Product as ProductController;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Review\Model\RatingFactory;
+use Magento\Review\Model\Review;
+use Magento\Review\Model\ResourceModel\Review\Collection;
+use Magento\Review\Model\ResourceModel\Review\CollectionFactory;
+use Magento\Review\Model\ReviewFactory;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
-class MassDelete extends ProductController
+/**
+ * Mass Delete action.
+ */
+class MassDelete extends ProductController implements HttpPostActionInterface
 {
     /**
+     * @var Collection
+     */
+    private $collection;
+
+    /**
+     * @var CollectionFactory
+     */
+    private $collectionFactory;
+
+    /**
+     * @param Context $context
+     * @param Registry $coreRegistry
+     * @param ReviewFactory $reviewFactory
+     * @param RatingFactory $ratingFactory
+     * @param CollectionFactory $collectionFactory
+     */
+    public function __construct(
+        Context $context,
+        Registry $coreRegistry,
+        ReviewFactory $reviewFactory,
+        RatingFactory $ratingFactory,
+        CollectionFactory $collectionFactory
+    ) {
+        parent::__construct($context, $coreRegistry, $reviewFactory, $ratingFactory);
+        $this->collectionFactory = $collectionFactory;
+    }
+
+    /**
+     * Execute action.
+     *
      * @return \Magento\Backend\Model\View\Result\Redirect
      */
     public function execute()
@@ -21,8 +62,7 @@ public function execute()
             $this->messageManager->addError(__('Please select review(s).'));
         } else {
             try {
-                foreach ($reviewsIds as $reviewId) {
-                    $model = $this->reviewFactory->create()->load($reviewId);
+                foreach ($this->getCollection() as $model) {
                     $model->delete();
                 }
                 $this->messageManager->addSuccess(
@@ -39,4 +79,54 @@ public function execute()
         $resultRedirect->setPath('review/*/' . $this->getRequest()->getParam('ret', 'index'));
         return $resultRedirect;
     }
+
+    /**
+     * @inheritdoc
+     */
+    protected function _isAllowed()
+    {
+        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
+            return true;
+        }
+
+        if (!$this->_authorization->isAllowed('Magento_Review::pending')) {
+            return false;
+        }
+
+        foreach ($this->getCollection() as $model) {
+            if ($model->getStatusId() != Review::STATUS_PENDING) {
+                $this->messageManager->addErrorMessage(
+                    __(
+                        'Sorry, You have not permission to do this.'
+                        . ' One or more of the reviews are not in Pending Status.'
+                    )
+                );
+
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Returns requested collection.
+     *
+     * @return Collection
+     */
+    private function getCollection(): Collection
+    {
+        if (!$this->collection) {
+            $collection = $this->collectionFactory->create();
+            $collection->addFieldToFilter(
+                'main_table.' . $collection->getResource()
+                    ->getIdFieldName(),
+                $this->getRequest()->getParam('reviews')
+            );
+
+            $this->collection = $collection;
+        }
+
+        return $this->collection;
+    }
 }