Merge branch '2.3.7-develop' into 2.3.7-develop-2.3-develop-sync-030121

# Conflicts:
#	app/code/Magento/Backend/Test/Unit/Model/Auth/SessionTest.php
#	app/code/Magento/Captcha/Test/Unit/Model/DefaultTest.php
#	app/code/Magento/Checkout/Test/Unit/Model/GuestPaymentInformationManagementTest.php
#	app/code/Magento/Checkout/Test/Unit/Model/PaymentInformationManagementTest.php
#	app/code/Magento/Cms/Test/Unit/Helper/Wysiwyg/ImagesTest.php
#	app/code/Magento/Cms/Test/Unit/Model/Wysiwyg/Images/StorageTest.php
#	app/code/Magento/Customer/Test/Unit/Controller/Account/LogoutTest.php
#	app/code/Magento/Customer/Test/Unit/Model/AccountManagementTest.php
#	app/code/Magento/Customer/Test/Unit/Model/FileProcessorTest.php
#	app/code/Magento/Customer/Test/Unit/Model/Metadata/Form/FileTest.php
#	app/code/Magento/Customer/Test/Unit/Model/Metadata/Form/ImageTest.php
#	app/code/Magento/ImportExport/Test/Unit/Controller/Adminhtml/Export/File/DownloadTest.php
#	app/code/Magento/ImportExport/Test/Unit/Helper/ReportTest.php
#	app/code/Magento/Persistent/Test/Unit/Model/SessionTest.php
#	app/code/Magento/SendFriend/Test/Unit/Model/SendFriendTest.php
#	app/code/Magento/Swatches/Test/Unit/Controller/Ajax/MediaTest.php
#	app/code/Magento/Theme/Test/Unit/Controller/Adminhtml/System/Design/Theme/DownloadCssTest.php
#	app/code/Magento/Theme/Test/Unit/Helper/StorageTest.php
#	app/code/Magento/Theme/Test/Unit/Model/Design/Backend/FileTest.php
#	app/code/Magento/Theme/Test/Unit/Model/Wysiwyg/StorageTest.php
#	app/code/Magento/Ui/Test/Unit/Component/Listing/Columns/ColumnTest.php
#	dev/tests/api-functional/testsuite/Magento/Customer/Api/CustomerRepositoryTest.php
#	dev/tests/api-functional/testsuite/Magento/GraphQl/Customer/GetCustomerTest.php
#	dev/tests/integration/testsuite/Magento/User/Model/UserTest.php
#	lib/internal/Magento/Framework/App/Test/Unit/StaticResourceTest.php
#	lib/internal/Magento/Framework/DB/Test/Unit/Adapter/Pdo/MysqlTest.php
#	lib/internal/Magento/Framework/Filesystem/Test/Unit/Driver/FileTest.php
#	lib/internal/Magento/Framework/Session/Test/Unit/ConfigTest.php
#	lib/internal/Magento/Framework/Stdlib/Test/Unit/Cookie/PhpCookieManagerTest.php

Author: dvoskoboinikov

app/code/Magento/Authorization/Model/CompositeUserContext.php

@@ -56,15 +56,15 @@ protected function add(UserContextInterface $userContext)
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritDoc
      */
     public function getUserId()
     {
         return $this->getUserContext() ? $this->getUserContext()->getUserId() : null;
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritDoc
      */
     public function getUserType()
     {
@@ -78,7 +78,7 @@ public function getUserType()
      */
     protected function getUserContext()
     {
-        if ($this->chosenUserContext === null) {
+        if (!$this->chosenUserContext) {
             /** @var UserContextInterface $userContext */
             foreach ($this->userContexts as $userContext) {
                 if ($userContext->getUserType() && $userContext->getUserId() !== null) {

app/code/Magento/Authorization/Model/ResourceModel/Role.php

@@ -119,6 +119,8 @@ protected function _afterDelete(\Magento\Framework\Model\AbstractModel $role)
 
         $connection->delete($this->_ruleTable, ['role_id = ?' => (int)$role->getId()]);
 
+        $this->_cache->clean(\Zend_Cache::CLEANING_MODE_MATCHING_TAG, [\Magento\Backend\Block\Menu::CACHE_TAGS]);
+
         return $this;
     }
 

app/code/Magento/Authorization/Model/Role.php

@@ -33,6 +33,11 @@ class Role extends \Magento\Framework\Model\AbstractModel
      */
     protected $_eventPrefix = 'authorization_roles';
 
+    /**
+     * @var string
+     */
+    protected $_cacheTag = 'user_assigned_role';
+
     /**
      * @param \Magento\Framework\Model\Context $context
      * @param \Magento\Framework\Registry $registry

app/code/Magento/Backend/App/AbstractAction.php

@@ -5,9 +5,12 @@
  */
 namespace Magento\Backend\App;
 
+use Magento\Framework\Encryption\Helper\Security;
+
 /**
  * Generic backend controller
  *
+ * phpcs:disable Magento2.Classes.AbstractApi
  * @api
  * @SuppressWarnings(PHPMD.NumberOfChildren)
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -101,6 +104,8 @@ public function __construct(Action\Context $context)
     }
 
     /**
+     * Checking if the user has access to requested component.
+     *
      * @return bool
      */
     protected function _isAllowed()
@@ -119,6 +124,8 @@ protected function _getSession()
     }
 
     /**
+     * Get message manager.
+     *
      * @return \Magento\Framework\Message\ManagerInterface
      */
     protected function getMessageManager()
@@ -146,6 +153,8 @@ protected function _setActiveMenu($itemId)
     }
 
     /**
+     * Prepare breadcrumbs.
+     *
      * @param string $label
      * @param string $title
      * @param string|null $link
@@ -158,6 +167,8 @@ protected function _addBreadcrumb($label, $title, $link = null)
     }
 
     /**
+     * Add content to specified block.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -167,6 +178,8 @@ protected function _addContent(\Magento\Framework\View\Element\AbstractBlock $bl
     }
 
     /**
+     * Move block to left container.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -176,6 +189,8 @@ protected function _addLeft(\Magento\Framework\View\Element\AbstractBlock $block
     }
 
     /**
+     * Add js to specified block.
+     *
      * @param \Magento\Framework\View\Element\AbstractBlock $block
      * @return $this
      */
@@ -200,6 +215,8 @@ private function _moveBlockToContainer(\Magento\Framework\View\Element\AbstractB
     }
 
     /**
+     * Dispatch request.
+     *
      * @param \Magento\Framework\App\RequestInterface $request
      * @return \Magento\Framework\App\ResponseInterface
      */
@@ -286,8 +303,7 @@ public function _processUrlKeys()
     }
 
     /**
-     * Set session locale,
-     * process force locale set through url params
+     * Set session locale, process force locale set through url params.
      *
      * @return $this
      */
@@ -309,8 +325,8 @@ protected function _processLocaleSettings()
      * Set redirect into response
      *
      * @TODO MAGETWO-28356: Refactor controller actions to new ResultInterface
-     * @param   string $path
-     * @param   array $arguments
+     * @param string $path
+     * @param array $arguments
      * @return \Magento\Framework\App\ResponseInterface
      */
     protected function _redirect($path, $arguments = [])
@@ -333,7 +349,7 @@ protected function _redirect($path, $arguments = [])
     protected function _forward($action, $controller = null, $module = null, array $params = null)
     {
         $this->_getSession()->setIsUrlNotice($this->_actionFlag->get('', self::FLAG_IS_URLS_CHECKED));
-        return parent::_forward($action, $controller, $module, $params);
+        parent::_forward($action, $controller, $module, $params);
     }
 
     /**
@@ -360,7 +376,7 @@ protected function _validateSecretKey()
         }
 
         $secretKey = $this->getRequest()->getParam(\Magento\Backend\Model\UrlInterface::SECRET_KEY_PARAM_NAME, null);
-        if (!$secretKey || $secretKey != $this->_backendUrl->getSecretKey()) {
+        if (!$secretKey || !Security::compareStrings($secretKey, $this->_backendUrl->getSecretKey())) {
             return false;
         }
         return true;

app/code/Magento/Backend/Block/Widget.php

@@ -91,7 +91,7 @@ public function getButtonHtml($label, $onclick, $class = '', $buttonId = null, $
             \Magento\Backend\Block\Widget\Button::class
         )->setData(
             [
-                'label' => $this->escapeHtml($label),
+                'label' => $label,
                 'onclick' => $onclick,
                 'class' => $class,
                 'type' => 'button',

app/code/Magento/Backend/Controller/Adminhtml/System/Account/Save.php

@@ -5,35 +5,37 @@
  */
 namespace Magento\Backend\Controller\Adminhtml\System\Account;
 
+use Magento\Backend\App\Action\Context;
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Validator\Exception as ValidatorException;
-use Magento\Framework\Exception\AuthenticationException;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Framework\Exception\State\UserLockedException;
 use Magento\Security\Model\SecurityCookie;
 
 /**
+ * Saving an admin user info.
+ *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
-class Save extends \Magento\Backend\Controller\Adminhtml\System\Account
+class Save extends \Magento\Backend\Controller\Adminhtml\System\Account implements HttpPostActionInterface
 {
     /**
      * @var SecurityCookie
      */
     private $securityCookie;
 
     /**
-     * Get security cookie
+     * Save controller constructor.
      *
-     * @return SecurityCookie
-     * @deprecated 100.1.0
+     * @param Context $context
+     * @param SecurityCookie|null $securityCookie
      */
-    private function getSecurityCookie()
+    public function __construct(Context $context, ?SecurityCookie $securityCookie = null)
     {
-        if (!($this->securityCookie instanceof SecurityCookie)) {
-            return \Magento\Framework\App\ObjectManager::getInstance()->get(SecurityCookie::class);
-        }
-        return $this->securityCookie;
+        parent::__construct($context);
+        $this->securityCookie = $securityCookie ?? ObjectManager::getInstance()->get(SecurityCookie::class);
     }
 
     /**
@@ -71,7 +73,7 @@ public function execute()
             $user->performIdentityCheck($currentUserPassword);
             if ($password !== '') {
                 $user->setPassword($password);
-                $user->setPasswordConfirmation($passwordConfirmation);
+                $user->setData('password_confirmation', $passwordConfirmation);
             }
             $errors = $user->validate();
             if ($errors !== true && !empty($errors)) {
@@ -85,7 +87,7 @@ public function execute()
             }
         } catch (UserLockedException $e) {
             $this->_auth->logout();
-            $this->getSecurityCookie()->setLogoutReasonCookie(
+            $this->securityCookie->setLogoutReasonCookie(
                 \Magento\Security\Model\AdminSessionsManager::LOGOUT_REASON_USER_LOCKED
             );
         } catch (ValidatorException $e) {

app/code/Magento/Backend/Model/Auth/Session.php

@@ -3,10 +3,14 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Backend\Model\Auth;
 
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
 use Magento\Framework\Stdlib\CookieManagerInterface;
+use Magento\Framework\Message\ManagerInterface;
 
 /**
  * Backend Auth session model
@@ -56,6 +60,11 @@ class Session extends \Magento\Framework\Session\SessionManager implements \Mage
      */
     protected $_config;
 
+    /**
+     * @var ManagerInterface
+     */
+    private $messageManager;
+
     /**
      * @param \Magento\Framework\App\Request\Http $request
      * @param \Magento\Framework\Session\SidResolverInterface $sidResolver
@@ -69,6 +78,7 @@ class Session extends \Magento\Framework\Session\SessionManager implements \Mage
      * @param \Magento\Framework\Acl\Builder $aclBuilder
      * @param \Magento\Backend\Model\UrlInterface $backendUrl
      * @param \Magento\Backend\App\ConfigInterface $config
+     * @param ManagerInterface $messageManager
      * @throws \Magento\Framework\Exception\SessionException
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -84,11 +94,13 @@ public function __construct(
         \Magento\Framework\App\State $appState,
         \Magento\Framework\Acl\Builder $aclBuilder,
         \Magento\Backend\Model\UrlInterface $backendUrl,
-        \Magento\Backend\App\ConfigInterface $config
+        \Magento\Backend\App\ConfigInterface $config,
+        ManagerInterface $messageManager = null
     ) {
         $this->_config = $config;
         $this->_aclBuilder = $aclBuilder;
         $this->_backendUrl = $backendUrl;
+        $this->messageManager = $messageManager ?? ObjectManager::getInstance()->get(ManagerInterface::class);
         parent::__construct(
             $request,
             $sidResolver,
@@ -171,6 +183,25 @@ public function isLoggedIn()
      */
     public function prolong()
     {
+        $sessionUser = $this->getUser();
+        $errorMessage = '';
+        if ($sessionUser !== null) {
+            if ((int)$sessionUser->getIsActive() !== 1) {
+                $errorMessage = 'The account sign-in was incorrect or your account is disabled temporarily. '
+                    . 'Please wait and try again later.';
+            }
+            if (!$sessionUser->hasAssigned2Role($sessionUser->getId())) {
+                $errorMessage = 'More permissions are needed to access this.';
+            }
+
+            if (!empty($errorMessage)) {
+                $this->destroy();
+                $this->messageManager->addErrorMessage(__($errorMessage));
+
+                return;
+            }
+        }
+
         $lifetime = $this->_config->getValue(self::XML_PATH_SESSION_LIFETIME);
         $cookieValue = $this->cookieManager->getCookie($this->getName());
 
@@ -181,7 +212,8 @@ public function prolong()
                 ->setPath($this->sessionConfig->getCookiePath())
                 ->setDomain($this->sessionConfig->getCookieDomain())
                 ->setSecure($this->sessionConfig->getCookieSecure())
-                ->setHttpOnly($this->sessionConfig->getCookieHttpOnly());
+                ->setHttpOnly($this->sessionConfig->getCookieHttpOnly())
+                ->setSameSite($this->sessionConfig->getCookieSameSite());
             $this->cookieManager->setPublicCookie($this->getName(), $cookieValue, $cookieMetadata);
         }
     }

app/code/Magento/Backend/Model/Session/AdminConfig.php

@@ -85,6 +85,7 @@ public function __construct(
         $this->setCookiePath($adminPath);
         $this->setName($sessionName);
         $this->setCookieSecure($this->_httpRequest->isSecure());
+        $this->setCookieSameSite('Lax');
     }
 
     /**
@@ -96,6 +97,7 @@ private function extractAdminPath()
     {
         $backendApp = $this->backendAppList->getCurrentApp();
         $cookiePath = null;
+        //phpcs:ignore
         $baseUrl = parse_url($this->backendUrlFactory->create()->getBaseUrl(), PHP_URL_PATH);
         if (!$backendApp) {
             $cookiePath = $baseUrl . $this->_frontNameResolver->getFrontName();