Merge pull request #383 from magento-extensibility/develop

[Extensibility] Sprint 53 Stories and Bugs

Author: Kopylova,Olga(okopylova)

.htaccess

@@ -65,13 +65,6 @@
     SecFilterScanPOST Off
 </IfModule>
 
-<IfModule mod_headers.c>
-############################################
-## prevent clickjacking
-
-    Header set X-Frame-Options SAMEORIGIN
-</IfModule>
-
 <IfModule mod_deflate.c>
 
 ############################################
@@ -187,4 +180,4 @@
 ## If running in cluster environment, uncomment this
 ## http://developer.yahoo.com/performance/rules.html#etags
 
-    #FileETag none
+    #FileETag none

app/code/Magento/AdminNotification/Controller/Adminhtml/Notification.php

@@ -14,26 +14,6 @@ class Notification extends \Magento\Backend\App\AbstractAction
      */
     protected function _isAllowed()
     {
-        switch ($this->getRequest()->getActionName()) {
-            case 'markAsRead':
-                $acl = 'Magento_AdminNotification::mark_as_read';
-                break;
-
-            case 'massMarkAsRead':
-                $acl = 'Magento_AdminNotification::mark_as_read';
-                break;
-
-            case 'remove':
-                $acl = 'Magento_AdminNotification::adminnotification_remove';
-                break;
-
-            case 'massRemove':
-                $acl = 'Magento_AdminNotification::adminnotification_remove';
-                break;
-
-            default:
-                $acl = 'Magento_AdminNotification::show_list';
-        }
-        return $this->_authorization->isAllowed($acl);
+        return $this->_authorization->isAllowed('Magento_AdminNotification::show_list');
     }
 }

app/code/Magento/AdminNotification/Controller/Adminhtml/Notification/MarkAsRead.php

@@ -36,4 +36,12 @@ public function execute()
         }
         $this->_redirect('adminhtml/*/');
     }
+
+    /**
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed('Magento_AdminNotification::mark_as_read');
+    }
 }

app/code/Magento/AdminNotification/Controller/Adminhtml/Notification/MassMarkAsRead.php

@@ -38,4 +38,12 @@ public function execute()
         }
         $this->_redirect('adminhtml/*/');
     }
+
+    /**
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed('Magento_AdminNotification::mark_as_read');
+    }
 }

app/code/Magento/AdminNotification/Controller/Adminhtml/Notification/MassRemove.php

@@ -33,4 +33,12 @@ public function execute()
         }
         $this->getResponse()->setRedirect($this->_redirect->getRedirectUrl($this->getUrl('*')));
     }
+
+    /**
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed('Magento_AdminNotification::adminnotification_remove');
+    }
 }

app/code/Magento/AdminNotification/Controller/Adminhtml/Notification/Remove.php

@@ -35,4 +35,12 @@ public function execute()
         }
         $this->_redirect('adminhtml/*/');
     }
+
+    /**
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed('Magento_AdminNotification::adminnotification_remove');
+    }
 }

app/code/Magento/Backend/etc/adminhtml/di.xml

@@ -122,4 +122,9 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\App\Response\XFrameOptPlugin">
+        <arguments>
+            <argument name="xFrameOpt" xsi:type="const">Magento\Framework\App\Response\XFrameOptPlugin::BACKEND_X_FRAME_OPT</argument>
+        </arguments>
+    </type>
 </config>

app/code/Magento/Sales/Controller/Adminhtml/Order.php

@@ -124,47 +124,10 @@ protected function _initOrder()
     }
 
     /**
-     * Acl check for admin
-     *
      * @return bool
-     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      */
     protected function _isAllowed()
     {
-        $action = strtolower($this->getRequest()->getActionName());
-        switch ($action) {
-            case 'hold':
-                $aclResource = 'Magento_Sales::hold';
-                break;
-            case 'unhold':
-                $aclResource = 'Magento_Sales::unhold';
-                break;
-            case 'email':
-                $aclResource = 'Magento_Sales::email';
-                break;
-            case 'cancel':
-                $aclResource = 'Magento_Sales::cancel';
-                break;
-            case 'view':
-                $aclResource = 'Magento_Sales::actions_view';
-                break;
-            case 'addcomment':
-                $aclResource = 'Magento_Sales::comment';
-                break;
-            case 'creditmemos':
-                $aclResource = 'Magento_Sales::creditmemo';
-                break;
-            case 'reviewpayment':
-                $aclResource = 'Magento_Sales::review_payment';
-                break;
-            case 'address':
-            case 'addresssave':
-                $aclResource = 'Magento_Sales::actions_edit';
-                break;
-            default:
-                $aclResource = 'Magento_Sales::sales_order';
-                break;
-        }
-        return $this->_authorization->isAllowed($aclResource);
+        return $this->_authorization->isAllowed('Magento_Sales::sales_order');
     }
 }

app/code/Magento/Sales/Controller/Adminhtml/Order/AddComment.php

@@ -57,4 +57,12 @@ public function execute()
         }
         return $this->resultRedirectFactory->create()->setPath('sales/*/');
     }
+
+    /**
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed('Magento_Sales::comment');
+    }
 }

app/code/Magento/Sales/Controller/Adminhtml/Order/Address.php

@@ -31,4 +31,12 @@ public function execute()
             return $this->resultRedirectFactory->create()->setPath('sales/*/');
         }
     }
+
+    /**
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed('Magento_Sales::actions_edit');
+    }
 }