magento
diff --git a/‎app/code/Magento/AsynchronousOperations/Model/MassPublisher.php
Lines changed: 2 additions & 1 deletion b/‎app/code/Magento/AsynchronousOperations/Model/MassPublisher.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/code/Magento/Authorization/Model/Acl/Loader/Rule.php
Lines changed: 56 additions & 3 deletions b/‎app/code/Magento/Authorization/Model/Acl/Loader/Rule.php
Lines changed: 56 additions & 3 deletions
diff --git a/‎app/code/Magento/Authorization/Test/Fixture/Role.php
Lines changed: 118 additions & 0 deletions b/‎app/code/Magento/Authorization/Test/Fixture/Role.php
Lines changed: 118 additions & 0 deletions
diff --git a/‎app/code/Magento/Authorization/Test/Unit/Model/Acl/Loader/RuleTest.php
Lines changed: 19 additions & 8 deletions b/‎app/code/Magento/Authorization/Test/Unit/Model/Acl/Loader/RuleTest.php
Lines changed: 19 additions & 8 deletions
diff --git a/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportBundleProductTest.xml
Lines changed: 3 additions & 0 deletions b/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportBundleProductTest.xml
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportDownloadableProductsWithFileLinksTest.xml
Lines changed: 3 additions & 0 deletions b/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportDownloadableProductsWithFileLinksTest.xml
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportDownloadableProductsWithUrlLinksTest.xml
Lines changed: 3 additions & 0 deletions b/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportDownloadableProductsWithUrlLinksTest.xml
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportGroupedProductTest.xml
Lines changed: 3 additions & 0 deletions b/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportGroupedProductTest.xml
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportSimpleAndConfigurableProductsWithAssignedImagesTest.xml
Lines changed: 3 additions & 0 deletions b/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportSimpleAndConfigurableProductsWithAssignedImagesTest.xml
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportSimpleProductImagesDuplicationTest.xml
Lines changed: 3 additions & 0 deletions b/‎app/code/Magento/AwsS3/Test/Mftf/Test/AdminAwsS3ImportSimpleProductImagesDuplicationTest.xml
Lines changed: 3 additions & 0 deletions
@@ -79,7 +79,7 @@ public function __construct(
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function publish($topicName, $data)
     {
@@ -91,6 +91,7 @@ public function publish($topicName, $data)
                 [
                     'body' => $message,
                     'properties' => [
+                        'topic_name' => $topicName,
                         'delivery_mode' => 2,
                         'message_id' => $this->messageIdGenerator->generate($topicName),
                     ]
 
@@ -7,6 +7,7 @@
 
 namespace Magento\Authorization\Model\Acl\Loader;
 
+use Magento\Framework\Acl;
 use Magento\Framework\Acl\Data\CacheInterface;
 use Magento\Framework\Acl\LoaderInterface;
 use Magento\Framework\Acl\RootResource;
@@ -21,7 +22,12 @@ class Rule implements LoaderInterface
     /**
      * Rules array cache key
      */
-    const ACL_RULE_CACHE_KEY = 'authorization_rule_cached_data';
+    public const ACL_RULE_CACHE_KEY = 'authorization_rule_cached_data';
+
+    /**
+     * Allow everything resource id
+     */
+    private const ALLOW_EVERYTHING = 'Magento_Backend::all';
 
     /**
      * @var ResourceConnection
@@ -75,27 +81,74 @@ public function __construct(
     /**
      * Populate ACL with rules from external storage
      *
-     * @param \Magento\Framework\Acl $acl
+     * @param Acl $acl
      * @return void
      */
-    public function populateAcl(\Magento\Framework\Acl $acl)
+    public function populateAcl(Acl $acl)
     {
+        $result = $this->applyPermissionsAccordingToRules($acl);
+        $this->applyDenyPermissionsForMissingRules($acl, ...$result);
+    }
+
+    /**
+     * Apply ACL with rules
+     *
+     * @param Acl $acl
+     * @return array[]
+     */
+    private function applyPermissionsAccordingToRules(Acl $acl): array
+    {
+        $foundResources = $foundDeniedRoles = [];
         foreach ($this->getRulesArray() as $rule) {
             $role = $rule['role_id'];
             $resource = $rule['resource_id'];
             $privileges = !empty($rule['privileges']) ? explode(',', $rule['privileges']) : null;
 
             if ($acl->has($resource)) {
+                $foundResources[$resource] = $resource;
                 if ($rule['permission'] == 'allow') {
                     if ($resource === $this->_rootResource->getId()) {
                         $acl->allow($role, null, $privileges);
                     }
                     $acl->allow($role, $resource, $privileges);
                 } elseif ($rule['permission'] == 'deny') {
+                    $foundDeniedRoles[$role] = $role;
                     $acl->deny($role, $resource, $privileges);
                 }
             }
         }
+        return [$foundResources, $foundDeniedRoles];
+    }
+
+    /**
+     * Apply deny permissions for missing rules
+     *
+     * For all rules that were not regenerated in authorization_rule table,
+     * when adding a new module and without re-saving all roles,
+     * consider not present rules with deny permissions
+     *
+     * @param Acl $acl
+     * @param array $resources
+     * @param array $deniedRoles
+     * @return void
+     */
+    private function applyDenyPermissionsForMissingRules(
+        Acl $acl,
+        array $resources,
+        array $deniedRoles
+    ) {
+        if (count($resources) && count($deniedRoles)
+            //ignore denying missing permission if all are allowed
+            && !(count($resources) === 1 && isset($resources[static::ALLOW_EVERYTHING]))
+        ) {
+            foreach ($acl->getResources() as $resource) {
+                if (!isset($resources[$resource])) {
+                    foreach ($deniedRoles as $role) {
+                        $acl->deny($role, $resource, null);
+                    }
+                }
+            }
+        }
     }
 
     /**
 
@@ -0,0 +1,118 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Authorization\Test\Fixture;
+
+use Magento\Authorization\Model\Acl\Role\Group;
+use Magento\Authorization\Model\ResourceModel\Role as RoleResource;
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Framework\DataObject;
+use Magento\SharedCatalog\Model\SharedCatalogFactory;
+use Magento\TestFramework\Fixture\Data\ProcessorInterface;
+use Magento\TestFramework\Fixture\RevertibleDataFixtureInterface;
+use Magento\Authorization\Model\RoleFactory;
+use Magento\Authorization\Model\RulesFactory;
+use Magento\User\Model\UserFactory;
+
+/**
+ * Creating a new admin role
+ */
+class Role implements RevertibleDataFixtureInterface
+{
+    private const DEFAULT_DATA = [
+        'role_name' => 'Role Name %uniqid%',
+        'role_type' => Group::ROLE_TYPE,
+        'user_id' => 0,
+        'user_type' => UserContextInterface::USER_TYPE_ADMIN
+    ];
+
+    private const DEFAULT_DATA_RULES = [
+        'id' => null,
+        'role_id' => null,
+        'resources' => ['Magento_Backend::all']
+    ];
+
+    /**
+     * @var RoleFactory
+     */
+    private $roleFactory;
+
+    /**
+     * @var ProcessorInterface
+     */
+    private $dataProcessor;
+
+    /**
+     * @var RoleResource
+     */
+    private $roleResourceModel;
+
+    /**
+     * @var RulesFactory
+     */
+    private $rulesFactory;
+
+    /**
+     * @param RoleFactory $roleFactory
+     * @param RoleResource $roleResourceModel
+     * @param RulesFactory $rulesFactory
+     * @param ProcessorInterface $dataProcessor
+     */
+    public function __construct(
+        RoleFactory        $roleFactory,
+        RoleResource       $roleResourceModel,
+        RulesFactory       $rulesFactory,
+        ProcessorInterface $dataProcessor
+    ) {
+        $this->roleFactory = $roleFactory;
+        $this->roleResourceModel = $roleResourceModel;
+        $this->rulesFactory = $rulesFactory;
+        $this->dataProcessor = $dataProcessor;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function apply(array $data = []): ?DataObject
+    {
+        $role = $this->roleFactory->create();
+        $role->setData($this->prepareData(array_diff_key($data, self::DEFAULT_DATA_RULES)));
+        $this->roleResourceModel->save($role);
+
+        $rules = $this->rulesFactory->create();
+        $rules->setRoleId($role->getId() ?? null);
+        $rules->setResources($data['resources'] ?? self::DEFAULT_DATA_RULES['resources']);
+        $rules->saveRel();
+
+        return $role;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function revert(DataObject $data): void
+    {
+        $role = $this->roleFactory->create();
+        $role->load($data->getId());
+
+        if ($role->getId() !== null) {
+            $role->delete();
+        }
+    }
+
+    /**
+     * Prepare admin role data
+     *
+     * @param array $data
+     * @return array
+     */
+    private function prepareData(array $data): array
+    {
+        $data = array_merge(self::DEFAULT_DATA, $data);
+        return $this->dataProcessor->process($this, $data);
+    }
+}
@@ -97,6 +97,11 @@ static function ($value) {
      */
     public function testPopulateAclFromCache(): void
     {
+        $rules = [
+            ['role_id' => 1, 'resource_id' => 'Magento_Backend::all', 'permission' => 'allow'],
+            ['role_id' => 2, 'resource_id' => 1, 'permission' => 'allow'],
+            ['role_id' => 3, 'resource_id' => 1, 'permission' => 'deny']
+        ];
         $this->resourceMock->expects($this->never())->method('getTable');
         $this->resourceMock->expects($this->never())
             ->method('getConnection');
@@ -105,13 +110,7 @@ public function testPopulateAclFromCache(): void
             ->method('load')
             ->with(Rule::ACL_RULE_CACHE_KEY)
             ->willReturn(
-                json_encode(
-                    [
-                        ['role_id' => 1, 'resource_id' => 'Magento_Backend::all', 'permission' => 'allow'],
-                        ['role_id' => 2, 'resource_id' => 1, 'permission' => 'allow'],
-                        ['role_id' => 3, 'resource_id' => 1, 'permission' => 'deny']
-                    ]
-                )
+                json_encode($rules)
             );
 
         $aclMock = $this->createMock(Acl::class);
@@ -123,9 +122,21 @@ public function testPopulateAclFromCache(): void
                 ['1', 'Magento_Backend::all', null],
                 ['2', 1, null]
             );
+
         $aclMock
             ->method('deny')
-            ->with('3', 1, null);
+            ->withConsecutive(
+                ['3', 1, null]
+            );
+
+        $aclMock
+            ->method('getResources')
+            ->willReturn([
+                'Magento_Backend::all',
+                'Magento_Backend::admin',
+                'Vendor_MyModule::menu',
+                'Vendor_MyModule::index'
+            ]);
 
         $this->model->populateAcl($aclMock);
     }
 
@@ -59,6 +59,9 @@
             <helper class="Magento\AwsS3\Test\Mftf\Helper\S3FileAssertions" method="deleteDirectory" stepKey="deleteImportImagesFilesDirectoryS3" after="deleteImportFilesDirectoryS3">
                 <argument name="path">var/import/images/{{ImportProduct_Bundle.name}}</argument>
             </helper>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache" after="deleteImportImagesFilesDirectoryS3">
+                <argument name="tags" value=""/>
+            </actionGroup>
 
             <!-- Disable AWS S3 Remote Storage & Delete Local Data -->
             <magentoCLI command="setup:config:set {{RemoteStorageAwsS3ConfigData.disable_options}}" stepKey="disableRemoteStorage" after="logoutFromAdmin"/>
 
@@ -75,6 +75,9 @@
             <helper class="Magento\AwsS3\Test\Mftf\Helper\S3FileAssertions" method="deleteDirectory" stepKey="deleteImportImagesFilesDirectoryS3" after="deleteImportFilesDirectoryS3">
                 <argument name="path">var/import/images/{{ImportProduct_Downloadable_FileLinks.name}}</argument>
             </helper>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache" after="deleteImportImagesFilesDirectoryS3">
+                <argument name="tags" value=""/>
+            </actionGroup>
 
             <!-- Disable AWS S3 Remote Storage & Delete Local Data -->
             <magentoCLI command="setup:config:set {{RemoteStorageAwsS3ConfigData.disable_options}}" stepKey="disableRemoteStorage" after="logoutFromAdmin"/>
 
@@ -59,6 +59,9 @@
             <helper class="Magento\AwsS3\Test\Mftf\Helper\S3FileAssertions" method="deleteDirectory" stepKey="deleteImportImagesFilesDirectoryS3" after="deleteImportFilesDirectoryS3">
                 <argument name="path">var/import/images/{{ImportProduct_Downloadable_UrlLinks.name}}</argument>
             </helper>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache" after="deleteImportImagesFilesDirectoryS3">
+                <argument name="tags" value=""/>
+            </actionGroup>
 
             <!-- Disable AWS S3 Remote Storage & Delete Local Data -->
             <magentoCLI command="setup:config:set {{RemoteStorageAwsS3ConfigData.disable_options}}" stepKey="disableRemoteStorage" after="logoutFromAdmin"/>
 
@@ -59,6 +59,9 @@
             <helper class="Magento\AwsS3\Test\Mftf\Helper\S3FileAssertions" method="deleteDirectory" stepKey="deleteImportImagesFilesDirectoryS3" after="deleteImportFilesDirectoryS3">
                 <argument name="path">var/import/images/{{ImportProduct_Grouped.name}}</argument>
             </helper>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache" after="deleteImportImagesFilesDirectoryS3">
+                <argument name="tags" value=""/>
+            </actionGroup>
 
             <!-- Disable AWS S3 Remote Storage & Delete Local Data -->
             <magentoCLI command="setup:config:set {{RemoteStorageAwsS3ConfigData.disable_options}}" stepKey="disableRemoteStorage" after="logoutFromAdmin"/>
 
@@ -60,6 +60,9 @@
             <helper class="Magento\AwsS3\Test\Mftf\Helper\S3FileAssertions" method="deleteDirectory" stepKey="deleteImportImagesFilesDirectoryS3" after="deleteImportFilesDirectoryS3">
                 <argument name="path">var/import/images/{{ImportProduct_Configurable.name}}</argument>
             </helper>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache" after="deleteImportImagesFilesDirectoryS3">
+                <argument name="tags" value=""/>
+            </actionGroup>
 
             <!-- Disable AWS S3 Remote Storage & Delete Local Data -->
             <magentoCLI command="setup:config:set {{RemoteStorageAwsS3ConfigData.disable_options}}" stepKey="disableRemoteStorage" after="logoutFromAdmin"/>
 
@@ -58,6 +58,9 @@
             <helper class="Magento\AwsS3\Test\Mftf\Helper\S3FileAssertions" method="deleteDirectory" stepKey="deleteImportImagesFilesDirectoryS3" after="deleteImportFilesDirectoryS3">
                 <argument name="path">var/import/images/test_image_duplication</argument>
             </helper>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache" after="deleteImportImagesFilesDirectoryS3">
+                <argument name="tags" value=""/>
+            </actionGroup>
 
             <!-- Disable AWS S3 Remote Storage & Delete Local Data -->
             <magentoCLI command="setup:config:set {{RemoteStorageAwsS3ConfigData.disable_options}}" stepKey="disableRemoteStorage" after="logoutFromAdmin"/>
Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ public function __construct(`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`/**`
`82`		`- * {@inheritdoc}`
	`82`	`+ * @inheritdoc`
`83`	`83`	`*/`
`84`	`84`	`public function publish($topicName, $data)`
`85`	`85`	`{`
`@@ -91,6 +91,7 @@ public function publish($topicName, $data)`
`91`	`91`	`[`
`92`	`92`	`'body' => $message,`
`93`	`93`	`'properties' => [`
	`94`	`+ 'topic_name' => $topicName,`
`94`	`95`	`'delivery_mode' => 2,`
`95`	`96`	`'message_id' => $this->messageIdGenerator->generate($topicName),`
`96`	`97`	`]`