Merge branch '2.4-develop' of https://github.com/magento-gl/magento2ce into ACQE-6116

Author: manjusha729

.editorconfig

@@ -14,7 +14,7 @@ trim_trailing_whitespace = false
 [*.{yml,yaml,json}]
 indent_size = 2
 
-[{composer, auth}.json]
+[{composer,auth}.json]
 indent_size = 4
 
 [db_schema_whitelist.json]

app/code/Magento/AdminAnalytics/Test/Mftf/class-file-naming-allowlist

@@ -0,0 +1,2 @@
+CloseAllDialogBoxes
+SelectAdminUsageSetting

app/code/Magento/AdminAnalytics/Test/Unit/Condition/CanViewNotificationTest.php

@@ -75,7 +75,7 @@ public function testIsVisibleLoadDataFromLog($expected, $cacheResponse, $logExis
     /**
      * @return array
      */
-    public function isVisibleProvider()
+    public static function isVisibleProvider()
     {
         return [
             [true, false, false],

app/code/Magento/AdminAnalytics/ViewModel/Metadata.php

@@ -9,7 +9,9 @@
 namespace Magento\AdminAnalytics\ViewModel;
 
 use Magento\Config\Model\Config\Backend\Admin\Custom;
+use Magento\Csp\Helper\CspNonceProvider;
 use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\App\ProductMetadataInterface;
 use Magento\Backend\Model\Auth\Session;
 use Magento\Framework\App\State;
@@ -21,6 +23,11 @@
  */
 class Metadata implements ArgumentInterface
 {
+    /**
+     * @var string
+     */
+    private $nonce;
+
     /**
      * @var State
      */
@@ -41,22 +48,33 @@ class Metadata implements ArgumentInterface
      */
     private $config;
 
+    /**
+     * @var CspNonceProvider
+     */
+    private $nonceProvider;
+
     /**
      * @param ProductMetadataInterface $productMetadata
      * @param Session $authSession
      * @param State $appState
      * @param ScopeConfigInterface $config
+     * @param CspNonceProvider|null $nonceProvider
      */
     public function __construct(
         ProductMetadataInterface $productMetadata,
         Session $authSession,
         State $appState,
-        ScopeConfigInterface $config
+        ScopeConfigInterface $config,
+        CspNonceProvider $nonceProvider = null
     ) {
         $this->productMetadata = $productMetadata;
         $this->authSession = $authSession;
         $this->appState = $appState;
         $this->config = $config;
+
+        $this->nonceProvider = $nonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+
+        $this->nonce = $this->nonceProvider->generateNonce();
     }
 
     /**
@@ -156,4 +174,14 @@ public function getCurrentUserRoleName(): string
     {
         return $this->authSession->getUser()->getRole()->getRoleName();
     }
+
+    /**
+     * Get a random nonce for each request.
+     *
+     * @return string
+     */
+    public function getNonce(): string
+    {
+        return $this->nonce;
+    }
 }

app/code/Magento/AdminAnalytics/composer.json

@@ -11,7 +11,8 @@
         "magento/module-config": "*",
         "magento/module-store": "*",
         "magento/module-ui": "*",
-        "magento/module-release-notification": "*"
+        "magento/module-release-notification": "*",
+        "magento/module-csp": "*"
     },
     "type": "magento2-module",
     "license": [

app/code/Magento/AdminAnalytics/view/adminhtml/templates/tracking.phtml

@@ -6,6 +6,7 @@
 
 /**
  * @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
+ * @var \Magento\Framework\Escaper $escaper
  */
 ?>
 
@@ -22,18 +23,25 @@
 <?php
 /** @var \Magento\AdminAnalytics\ViewModel\Metadata $metadata */
 $metadata = $block->getMetadata();
+$nonce = $escaper->escapeJs($metadata->getNonce());
 $scriptString = '
     var adminAnalyticsMetadata = {
-        "secure_base_url": "' . $block->escapeJs($metadata->getSecureBaseUrlForScope()) . '",
-        "version": "' . $block->escapeJs($metadata->getMagentoVersion()) . '",
-        "product_edition": "' . $block->escapeJs($metadata->getProductEdition()) . '",
-        "user": "' . $block->escapeJs($metadata->getCurrentUser()) . '",
-        "mode": "' . $block->escapeJs($metadata->getMode()) . '",
-        "store_name_default": "' . $block->escapeJs($metadata->getStoreNameForScope()) . '",
-        "admin_user_created": "' . $block->escapeJs($metadata->getCurrentUserCreatedDate()) . '",
-        "admin_user_logdate": "' . $block->escapeJs($metadata->getCurrentUserLogDate()) . '",
-        "admin_user_role_name": "' . $block->escapeJs($metadata->getCurrentUserRoleName()) . '"
+        "secure_base_url": "' . $escaper->escapeJs($metadata->getSecureBaseUrlForScope()) . '",
+        "version": "' . $escaper->escapeJs($metadata->getMagentoVersion()) . '",
+        "product_edition": "' . $escaper->escapeJs($metadata->getProductEdition()) . '",
+        "user": "' . $escaper->escapeJs($metadata->getCurrentUser()) . '",
+        "mode": "' . $escaper->escapeJs($metadata->getMode()) . '",
+        "store_name_default": "' . $escaper->escapeJs($metadata->getStoreNameForScope()) . '",
+        "admin_user_created": "' . $escaper->escapeJs($metadata->getCurrentUserCreatedDate()) . '",
+        "admin_user_logdate": "' . $escaper->escapeJs($metadata->getCurrentUserLogDate()) . '",
+        "admin_user_role_name": "' . $escaper->escapeJs($metadata->getCurrentUserRoleName()) . '"
     };
+
+    var digitalData = {
+        "nonce": "' . $nonce . '"
+    };
+
+    var cspNonce = "' . $nonce . '";
 ';
 ?>
 <?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false); ?>

app/code/Magento/AdminNotification/Block/Grid/MassAction/MarkAsReadVisibility.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\AdminNotification\Block\Grid\MassAction;
+
+use Magento\AdminNotification\Controller\Adminhtml\Notification\MarkAsRead;
+use Magento\Backend\Block\Widget\Grid\Massaction\VisibilityCheckerInterface;
+use Magento\Framework\AuthorizationInterface;
+
+/**
+ * Class checks if mark as read action can be displayed on massaction list
+ */
+class MarkAsReadVisibility implements VisibilityCheckerInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * @param AuthorizationInterface $authorizationInterface
+     */
+    public function __construct(AuthorizationInterface $authorizationInterface)
+    {
+        $this->authorization = $authorizationInterface;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isVisible()
+    {
+        return $this->authorization->isAllowed(MarkAsRead::ADMIN_RESOURCE);
+    }
+}

app/code/Magento/AdminNotification/Block/Grid/MassAction/RemoveVisibility.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\AdminNotification\Block\Grid\MassAction;
+
+use Magento\AdminNotification\Controller\Adminhtml\Notification\Remove;
+use Magento\Backend\Block\Widget\Grid\Massaction\VisibilityCheckerInterface;
+use Magento\Framework\AuthorizationInterface;
+
+/**
+ * Class checks if remove action can be displayed on massaction list
+ */
+class RemoveVisibility implements VisibilityCheckerInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * @param AuthorizationInterface $authorizationInterface
+     */
+    public function __construct(AuthorizationInterface $authorizationInterface)
+    {
+        $this->authorization = $authorizationInterface;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isVisible()
+    {
+        return $this->authorization->isAllowed(Remove::ADMIN_RESOURCE);
+    }
+}

app/code/Magento/AdminNotification/Block/Grid/Renderer/Actions.php

@@ -1,15 +1,14 @@
 <?php
-declare(strict_types=1);
-
 /**
- * Adminhtml AdminNotification Severity Renderer
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\AdminNotification\Block\Grid\Renderer;
 
+use Magento\AdminNotification\Controller\Adminhtml\Notification\MarkAsRead;
+use Magento\AdminNotification\Controller\Adminhtml\Notification\Remove;
 use Magento\Backend\Block\Context;
 use Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer;
 use Magento\Framework\App\ActionInterface;
@@ -45,33 +44,41 @@ public function __construct(Context $context, Data $urlHelper, array $data = [])
      */
     public function render(DataObject $row)
     {
-        $readDetailsHtml = $row->getUrl() ? '<a class="action-details" target="_blank" href="' .
+        $readDetailsHtml = $row->getUrl() ?
+            '<a class="action-details" target="_blank" href="' .
             $this->escapeUrl($row->getUrl())
             . '">' .
             __('Read Details') . '</a>' : '';
 
-        $markAsReadHtml = !$row->getIsRead() ? '<a class="action-mark" href="' . $this->getUrl(
-            '*/*/markAsRead/',
-            ['_current' => true, 'id' => $row->getNotificationId()]
-        ) . '">' . __(
-            'Mark as Read'
-        ) . '</a>' : '';
+        $markAsReadHtml = !$row->getIsRead()
+            && $this->_authorization->isAllowed(MarkAsRead::ADMIN_RESOURCE) ?
+            '<a class="action-mark" href="' . $this->escapeUrl($this->getUrl(
+                '*/*/markAsRead/',
+                ['_current' => true, 'id' => $row->getNotificationId()]
+            )) . '">' . __(
+                'Mark as Read'
+            ) . '</a>' : '';
+
+        $removeUrl = $this->getUrl(
+            '*/*/remove/',
+            [
+                '_current' => true,
+                'id' => $row->getNotificationId(),
+                ActionInterface::PARAM_NAME_URL_ENCODED => $this->_urlHelper->getEncodedUrl()
+            ]
+        );
+
+        $removeHtml = $this->_authorization->isAllowed(Remove::ADMIN_RESOURCE) ?
+            '<a class="action-delete" href="'
+            . $this->escapeUrl($removeUrl)
+            .'" onClick="deleteConfirm('. __('\'Are you sure?\'') .', this.href); return false;">'
+            . __('Remove') .  '</a>' : '';
 
-        $encodedUrl = $this->_urlHelper->getEncodedUrl();
         return sprintf(
-            '%s%s<a class="action-delete" href="%s" onClick="deleteConfirm(\'%s\', this.href); return false;">%s</a>',
+            '%s%s%s',
             $readDetailsHtml,
             $markAsReadHtml,
-            $this->getUrl(
-                '*/*/remove/',
-                [
-                    '_current' => true,
-                    'id' => $row->getNotificationId(),
-                    ActionInterface::PARAM_NAME_URL_ENCODED => $encodedUrl
-                ]
-            ),
-            __('Are you sure?'),
-            __('Remove')
+            $removeHtml,
         );
     }
 }

app/code/Magento/AdminNotification/Controller/Adminhtml/Notification/AjaxMarkAsRead.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\AdminNotification\Controller\Adminhtml\Notification;
 
 use Magento\AdminNotification\Controller\Adminhtml\Notification;
@@ -16,6 +18,13 @@
  */
 class AjaxMarkAsRead extends Notification implements HttpPostActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_AdminNotification::mark_as_read';
+
     /**
      * @var NotificationService
      */