MAGETWO-55849: Customer can be deleted without Merchant permissions verification

Author: RuslanKostiv1

app/code/Magento/User/Block/User/Edit.php

@@ -77,6 +77,12 @@ protected function _construct()
     }
 
     /**
+     * Returns message that is displayed for admin when he deleted user from the system.
+     * To see this message admin must do the following:
+     * - open user for edition;
+     * - fill current password in section "Current User Identity Verification";
+     * - click "Delete User" at top left part of the page;
+     *
      * @return \Magento\Framework\Phrase
      */
     public function getDeleteMessage()
@@ -85,7 +91,9 @@ public function getDeleteMessage()
     }
 
     /**
-     * Returns user deletion url
+     * Returns url that for user deletion.
+     * The following action is executed if admin navigates to this url
+     * Magento\User\Controller\Adminhtml\User\Delete::execute
      *
      * @return string
      */
@@ -95,6 +103,9 @@ public function getDeleteUrl()
     }
 
     /**
+     * Method is used to get id of user that admin edits.
+     * It can be used to determine either admin opens page for creation or edition of already created user
+     *
      * @return int
      */
     public function getObjectId()

app/code/Magento/User/view/adminhtml/templates/user/roles_grid_js.phtml

@@ -76,9 +76,9 @@ require([
     {
         "[data-role=delete-user]" : {
             "deleteUserAccount" : {
-                "message": "<?php /* @escapeNotVerified */ echo $editBlock->getDeleteMessage(); ?>",
-                "url": "<?php /* @escapeNotVerified */ echo $editBlock->getDeleteUrl(); ?>",
-                "objId": "<?php /* @escapeNotVerified */ echo $editBlock->getObjectId(); ?>"
+                "message": "<?php echo $editBlock->escapeHtml($editBlock->getDeleteMessage()) ?>",
+                "url": "<?php /* @noEscape */ echo $editBlock->getDeleteUrl(); ?>",
+                "objId": "<?php echo $editBlock->escapeHtml($editBlock->getObjectId()) ?>"
             }
         }
     }