ENGCOM-8351: Fixed Issue #14633 Sub-admin role related issue in order view page in magento 2 admin #30001

 - Merge Pull Request #30001 from hws47a/magento2:2.4-develop-issue-14633
 - Merged commits:
   1. 96bef4c
   2. e845244
   3. 27ae51e
   4. 963ff74
   5. 6fa9f6b
   6. 9db8711
   7. 1a908c1
   8. 85f4b81

Author: magento-engcom-team

app/code/Magento/Sales/Block/Adminhtml/Order/View/Tab/Creditmemos.php

@@ -5,41 +5,67 @@
  */
 namespace Magento\Sales\Block\Adminhtml\Order\View\Tab;
 
+use Magento\Backend\Block\Widget\Tab\TabInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\View\Element\Context;
+use Magento\Framework\View\Element\Text\ListText;
+
 /**
  * Order Credit Memos grid
  *
  * @api
  * @since 100.0.2
  */
-class Creditmemos extends \Magento\Framework\View\Element\Text\ListText implements
-    \Magento\Backend\Block\Widget\Tab\TabInterface
+class Creditmemos extends ListText implements TabInterface
 {
     /**
-     * {@inheritdoc}
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * Creditmemos constructor.
+     *
+     * @param Context $context
+     * @param array $data
+     * @param AuthorizationInterface|null $authorization
+     */
+    public function __construct(
+        Context $context,
+        array $data = [],
+        ?AuthorizationInterface $authorization = null
+    ) {
+        $this->authorization = $authorization ?? ObjectManager::getInstance()->get(AuthorizationInterface::class);
+        parent::__construct($context, $data);
+    }
+
+    /**
+     * @inheritdoc
      */
     public function getTabLabel()
     {
         return __('Credit Memos');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function getTabTitle()
     {
         return __('Order Credit Memos');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function canShowTab()
     {
-        return true;
+        return $this->authorization->isAllowed('Magento_Sales::sales_creditmemo');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function isHidden()
     {

app/code/Magento/Sales/Block/Adminhtml/Order/View/Tab/Invoices.php

@@ -5,41 +5,67 @@
  */
 namespace Magento\Sales\Block\Adminhtml\Order\View\Tab;
 
+use Magento\Backend\Block\Widget\Tab\TabInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\View\Element\Context;
+use Magento\Framework\View\Element\Text\ListText;
+
 /**
  * Order Invoices grid
  *
  * @api
  * @since 100.0.2
  */
-class Invoices extends \Magento\Framework\View\Element\Text\ListText implements
-    \Magento\Backend\Block\Widget\Tab\TabInterface
+class Invoices extends ListText implements TabInterface
 {
     /**
-     * {@inheritdoc}
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * Invoices constructor.
+     *
+     * @param Context $context
+     * @param array $data
+     * @param AuthorizationInterface|null $authorization
+     */
+    public function __construct(
+        Context $context,
+        array $data = [],
+        ?AuthorizationInterface $authorization = null
+    ) {
+        $this->authorization = $authorization ?? ObjectManager::getInstance()->get(AuthorizationInterface::class);
+        parent::__construct($context, $data);
+    }
+
+    /**
+     * @inheritdoc
      */
     public function getTabLabel()
     {
         return __('Invoices');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function getTabTitle()
     {
         return __('Order Invoices');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function canShowTab()
     {
-        return true;
+        return $this->authorization->isAllowed('Magento_Sales::sales_invoice');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function isHidden()
     {

app/code/Magento/Sales/Block/Adminhtml/Order/View/Tab/Shipments.php

@@ -5,77 +5,89 @@
  */
 namespace Magento\Sales\Block\Adminhtml\Order\View\Tab;
 
+use Magento\Backend\Block\Widget\Tab\TabInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\Registry;
+use Magento\Framework\View\Element\Context;
+use Magento\Framework\View\Element\Text\ListText;
+use Magento\Sales\Model\Order;
+
 /**
  * Order Shipments grid
  *
  * @api
  * @since 100.0.2
  */
-class Shipments extends \Magento\Framework\View\Element\Text\ListText implements
-    \Magento\Backend\Block\Widget\Tab\TabInterface
+class Shipments extends ListText implements TabInterface
 {
     /**
      * Core registry
      *
-     * @var \Magento\Framework\Registry
+     * @var Registry
      */
     protected $_coreRegistry = null;
 
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
     /**
      * Collection factory
      *
-     * @param \Magento\Framework\View\Element\Context $context
-     * @param \Magento\Framework\Registry $coreRegistry
+     * @param Context $context
+     * @param Registry $coreRegistry
      * @param array $data
+     * @param AuthorizationInterface|null $authorization
      */
     public function __construct(
-        \Magento\Framework\View\Element\Context $context,
-        \Magento\Framework\Registry $coreRegistry,
-        array $data = []
+        Context $context,
+        Registry $coreRegistry,
+        array $data = [],
+        ?AuthorizationInterface $authorization = null
     ) {
         $this->_coreRegistry = $coreRegistry;
+        $this->authorization = $authorization ?? ObjectManager::getInstance()->get(AuthorizationInterface::class);
         parent::__construct($context, $data);
     }
 
     /**
      * Retrieve order model instance
      *
-     * @return \Magento\Sales\Model\Order
+     * @return Order
      */
     public function getOrder()
     {
         return $this->_coreRegistry->registry('current_order');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function getTabLabel()
     {
         return __('Shipments');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function getTabTitle()
     {
         return __('Order Shipments');
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function canShowTab()
     {
-        if ($this->getOrder()->getIsVirtual()) {
-            return false;
-        }
-        return true;
+        return $this->authorization->isAllowed('Magento_Sales::shipment') && !$this->getOrder()->getIsVirtual();
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function isHidden()
     {

app/code/Magento/Sales/Test/Mftf/Test/AdminViewOrderUserWithRestrictedAccessTest.xml

@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="AdminViewOrderUserWithRestrictedAccessTest">
+        <annotations>
+            <stories value="Open order with restricted access"/>
+            <title value="Admin opens order with restricted access"/>
+            <description value="Admin opens order with restricted access"/>
+            <severity value="MAJOR"/>
+            <group value="Sales"/>
+        </annotations>
+        <before>
+            <createData entity="SimpleProduct2" stepKey="Product"/>
+            <createData entity="Simple_US_Customer" stepKey="Customer"/>
+
+            <!--Create order-->
+            <createData entity="CustomerCart" stepKey="CustomerCart">
+                <requiredEntity createDataKey="Customer"/>
+            </createData>
+            <createData entity="CustomerCartItem" stepKey="addCartItem">
+                <requiredEntity createDataKey="CustomerCart"/>
+                <requiredEntity createDataKey="Product"/>
+            </createData>
+            <createData entity="CustomerAddressInformation" stepKey="addCustomerOrderAddress">
+                <requiredEntity createDataKey="CustomerCart"/>
+            </createData>
+            <updateData createDataKey="CustomerCart" entity="CustomerOrderPaymentMethod" stepKey="sendCustomerPaymentInformation">
+                <requiredEntity createDataKey="CustomerCart"/>
+            </updateData>
+
+            <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsAdmin"/>
+        </before>
+        <after>
+            <actionGroup ref="AdminLogoutActionGroup" stepKey="logoutAsSecondRoleUser"/>
+            <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsAdmin"/>
+
+            <actionGroup ref="AdminUserOpenAdminRolesPageActionGroup" stepKey="navigateToUserRoleGrid"/>
+            <actionGroup ref="AdminDeleteRoleActionGroup" stepKey="deleteUserRole">
+                <argument name="role" value="adminRole"/>
+            </actionGroup>
+            <actionGroup ref="AdminOpenAdminUsersPageActionGroup" stepKey="goToAllUsersPage"/>
+            <actionGroup ref="AdminDeleteNewUserActionGroup" stepKey="deleteUser">
+                <argument name="userName" value="{{admin2.username}}"/>
+            </actionGroup>
+            <actionGroup ref="AdminLogoutActionGroup" stepKey="logout"/>
+
+            <deleteData createDataKey="Product" stepKey="deleteProduct"/>
+            <deleteData createDataKey="Customer" stepKey="deleteCustomer"/>
+        </after>
+
+        <!--Create user role-->
+        <actionGroup ref="AdminFillUserRoleRequiredDataActionGroup" stepKey="fillUserRoleRequiredData">
+            <argument name="User" value="adminRole"/>
+            <argument name="restrictedRole" value="Dashboard"/>
+        </actionGroup>
+        <actionGroup ref="AdminUserClickRoleResourceTabActionGroup" stepKey="goToRoleResourcesTab"/>
+        <actionGroup ref="AdminAddRestrictedRoleActionGroup" stepKey="addRestrictedRole">
+            <argument name="User" value="adminRole"/>
+            <argument name="restrictedRole" value="Orders"/>
+        </actionGroup>
+        <actionGroup ref="AdminRevokeRoleResourceActionGroup" stepKey="revokeInvoiceAccess">
+            <argument name="resourceName" value="Invoice"/>
+        </actionGroup>
+        <actionGroup ref="AdminRevokeRoleResourceActionGroup" stepKey="revokeCreditMemosAccess">
+            <argument name="resourceName" value="Credit Memos"/>
+        </actionGroup>
+        <actionGroup ref="AdminUserSaveRoleActionGroup" stepKey="saveUserRole" />
+
+        <!--Create New User-->
+        <actionGroup ref="AdminCreateUserActionGroup" stepKey="createAdminUser">
+            <argument name="role" value="adminRole"/>
+            <argument name="User" value="admin2"/>
+        </actionGroup>
+
+        <!--Login as new User-->
+        <actionGroup ref="AdminLogoutActionGroup" stepKey="logoutOfAdmin"/>
+        <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsNewUser">
+            <argument name="username" value="{{admin2.username}}"/>
+            <argument name="password" value="{{admin2.password}}"/>
+        </actionGroup>
+
+        <!--Open created order-->
+        <actionGroup ref="SearchAdminDataGridByKeywordActionGroup" stepKey="searchOrderGridByNameKeyword">
+            <argument name="keyword" value="BillingAddressTX.fullname"/>
+        </actionGroup>
+        <actionGroup ref="AdminOrderGridClickFirstRowActionGroup" stepKey="clickOrderRow"/>
+
+        <!--Assert that error not appears-->
+        <wait time="3" stepKey="waitToBeSureErrorWillNotAppears"/>
+        <dontSeeElement selector="{{AdminConfirmationModalSection.title}}" stepKey="errorMessageShouldNotAppears"/>
+    </test>
+</tests>