Skip to content

Commit 69f7345

Browse files
committed
MAGETWO-55849: Customer can be deleted without Merchant permissions verification
1 parent 87d63fc commit 69f7345

File tree

2 files changed

+15
-4
lines changed

2 files changed

+15
-4
lines changed

app/code/Magento/User/Block/User/Edit.php

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,12 @@ protected function _construct()
7777
}
7878

7979
/**
80+
* Returns message that is displayed for admin when he deleted user from the system.
81+
* To see this message admin must do the following:
82+
* - open user for edition;
83+
* - fill current password in section "Current User Identity Verification";
84+
* - click "Delete User" at top left part of the page;
85+
*
8086
* @return \Magento\Framework\Phrase
8187
*/
8288
public function getDeleteMessage()
@@ -85,7 +91,9 @@ public function getDeleteMessage()
8591
}
8692

8793
/**
88-
* Returns user deletion url
94+
* Returns url that for user deletion.
95+
* The following action is executed if admin navigates to this url
96+
* Magento\User\Controller\Adminhtml\User\Delete::execute
8997
*
9098
* @return string
9199
*/
@@ -95,6 +103,9 @@ public function getDeleteUrl()
95103
}
96104

97105
/**
106+
* Method is used to get id of user that admin edits.
107+
* It can be used to determine either admin opens page for creation or edition of already created user
108+
*
98109
* @return int
99110
*/
100111
public function getObjectId()

app/code/Magento/User/view/adminhtml/templates/user/roles_grid_js.phtml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -76,9 +76,9 @@ require([
7676
{
7777
"[data-role=delete-user]" : {
7878
"deleteUserAccount" : {
79-
"message": "<?php /* @escapeNotVerified */ echo $editBlock->getDeleteMessage(); ?>",
80-
"url": "<?php /* @escapeNotVerified */ echo $editBlock->getDeleteUrl(); ?>",
81-
"objId": "<?php /* @escapeNotVerified */ echo $editBlock->getObjectId(); ?>"
79+
"message": "<?php echo $editBlock->escapeHtml($editBlock->getDeleteMessage()) ?>",
80+
"url": "<?php /* @noEscape */ echo $editBlock->getDeleteUrl(); ?>",
81+
"objId": "<?php echo $editBlock->escapeHtml($editBlock->getObjectId()) ?>"
8282
}
8383
}
8484
}

0 commit comments

Comments
 (0)