MAGETWO-36063: Update REST and SOAP controllers to filter out attributes based on ACL

Bryant Luk · Bryant Luk · commit 665ca1fc179f · 2015-04-27T17:27:28.000-05:00
- Use specific DataObjectProcessor when serializing the response. This is to
  isolate the times whenever we write out a data array in the system. Only
  do permission checks on the serialization of the outbound response.
diff --git a/app/code/Magento/Webapi/etc/webapi_rest/di.xml b/app/code/Magento/Webapi/etc/webapi_rest/di.xml
@@ -71,4 +71,25 @@
     <type name="Magento\Framework\Authorization">
         <plugin name="guestAuthorization" type="Magento\Webapi\Model\Plugin\GuestAuthorization" />
     </type>
+
+    <!-- Configuration to check that the permissions are checked on fields -->
+    <virtualType name="Magento\Framework\Reflection\ExtensionAttributesProcessorPermissionChecked" type="Magento\Framework\Reflection\ExtensionAttributesProcessor">
+        <arguments>
+            <argument name="isPermissionChecked" xsi:type="boolean">true</argument>
+            <argument name="dataObjectProcessor" xsi:type="object">Magento\Framework\Reflection\DataObjectProcessor\Proxy</argument>
+        </arguments>
+    </virtualType>
+    <virtualType name="Magento\Framework\Reflection\DataObjectProcessorPermissionChecked" type="Magento\Framework\Reflection\DataObjectProcessor">
+        <arguments>
+            <argument name="extensionAttributesProcessor" xsi:type="object">Magento\Framework\Reflection\ExtensionAttributesProcessorPermissionChecked</argument>
+            <argument name="customAttributesProcessor" xsi:type="object">Magento\Framework\Reflection\CustomAttributesProcessor\Proxy</argument>
+        </arguments>
+    </virtualType>
+
+    <type name="Magento\Framework\Webapi\ServiceOutputProcessor">
+        <arguments>
+            <argument name="dataObjectProcessor" xsi:type="object">Magento\Framework\Reflection\DataObjectProcessorPermissionChecked</argument>
+        </arguments>
+    </type>
+    <!-- End of configuration to check that permissions are checked on fields -->
 </config>
diff --git a/app/code/Magento/Webapi/etc/webapi_soap/di.xml b/app/code/Magento/Webapi/etc/webapi_soap/di.xml
@@ -39,4 +39,26 @@
     <type name="Magento\Framework\Authorization">
         <plugin name="guestAuthorization" type="Magento\Webapi\Model\Plugin\GuestAuthorization" />
     </type>
+
+    <!-- Configuration to check that the permissions are checked on fields -->
+    <virtualType name="Magento\Framework\Reflection\ExtensionAttributesProcessorPermissionChecked" type="Magento\Framework\Reflection\ExtensionAttributesProcessor">
+        <arguments>
+            <argument name="isPermissionChecked" xsi:type="boolean">true</argument>
+            <argument name="dataObjectProcessor" xsi:type="object">Magento\Framework\Reflection\DataObjectProcessor\Proxy</argument>
+        </arguments>
+    </virtualType>
+    <virtualType name="Magento\Framework\Reflection\DataObjectProcessorPermissionChecked" type="Magento\Framework\Reflection\DataObjectProcessor">
+        <arguments>
+            <argument name="extensionAttributesProcessor" xsi:type="object">Magento\Framework\Reflection\ExtensionAttributesProcessorPermissionChecked</argument>
+            <argument name="customAttributesProcessor" xsi:type="object">Magento\Framework\Reflection\CustomAttributesProcessor\Proxy</argument>
+        </arguments>
+    </virtualType>
+
+    <type name="Magento\Webapi\Controller\Soap\Request\Handler">
+        <arguments>
+            <argument name="dataObjectProcessor" xsi:type="object">Magento\Framework\Reflection\DataObjectProcessorPermissionChecked</argument>
+        </arguments>
+    </type>
+    <!-- End of configuration to check that permissions are checked on fields -->
+
 </config>
