ACP2E-277: treat missing rules from authorization_rule table as deny permission rules.

Author: alzota

app/code/Magento/Authorization/Model/Acl/Loader/Rule.php

@@ -80,12 +80,17 @@ public function __construct(
      */
     public function populateAcl(\Magento\Framework\Acl $acl)
     {
+        $foundResources = [];
+        $foundRoles = [];
+
         foreach ($this->getRulesArray() as $rule) {
             $role = $rule['role_id'];
             $resource = $rule['resource_id'];
             $privileges = !empty($rule['privileges']) ? explode(',', $rule['privileges']) : null;
 
             if ($acl->has($resource)) {
+                $foundResources[$resource] = $resource;
+                $foundRoles[$role] = $role;
                 if ($rule['permission'] == 'allow') {
                     if ($resource === $this->_rootResource->getId()) {
                         $acl->allow($role, null, $privileges);
@@ -96,6 +101,19 @@ public function populateAcl(\Magento\Framework\Acl $acl)
                 }
             }
         }
+
+        /**
+         * for all rules that were not regenerated in authorization_rule table,
+         * when adding a new module and without re-saving all roles,7
+         * consider not present rules with deny permissions
+         * */
+        foreach ($acl->getResources() as $resource) {
+            if (!isset($foundResources[$resource])) {
+                foreach ($foundRoles as $role) {
+                    $acl->deny($role, $resource, null);
+                }
+            }
+        }
     }
 
     /**