MAGETWO-55849: Customer can be deleted without Merchant permissions verification

Author: RuslanKostiv1

app/code/Magento/User/Block/User/Edit.php

@@ -58,12 +58,9 @@ protected function _construct()
                 [
                     'label' => __('Delete User'),
                     'class' => 'delete',
-                    'onclick' => sprintf(
-                        'deleteUserAccount("%s", "%s", %s)',
-                        __('Are you sure you want to do this?'),
-                        $this->getUrl('adminhtml/*/delete'),
-                        $objId
-                    ),
+                    'data_attribute' => [
+                        'role' => 'delete-user'
+                    ]
                 ]
             );
 
@@ -79,6 +76,32 @@ protected function _construct()
         }
     }
 
+    /**
+     * @return \Magento\Framework\Phrase
+     */
+    public function getDeleteMessage()
+    {
+        return __('Are you sure you want to do this?');
+    }
+
+    /**
+     * Returns user deletion url
+     *
+     * @return string
+     */
+    public function getDeleteUrl()
+    {
+        return $this->getUrl('adminhtml/*/delete');
+    }
+
+    /**
+     * @return int
+     */
+    public function getObjectId()
+    {
+        return (int)$this->getRequest()->getParam($this->_objectId);
+    }
+
     /**
      * @return \Magento\Framework\Phrase
      */

app/code/Magento/User/view/adminhtml/requirejs-config.js

@@ -6,7 +6,8 @@
 var config = {
     map: {
         '*': {
-            rolesTree: 'Magento_User/js/roles-tree'
+            rolesTree: 'Magento_User/js/roles-tree',
+            deleteUserAccount: 'Magento_User/js/delete-user-account'
         }
     } 
 };

app/code/Magento/User/view/adminhtml/templates/user/roles_grid_js.phtml

@@ -14,6 +14,7 @@ require([
 ], function(){
 
 <?php $myBlock = $block->getLayout()->getBlock('user.roles.grid'); ?>
+<?php $editBlock = $block->getLayout()->getBlock('adminhtml.user.edit'); ?>
 <?php if (is_object($myBlock) && $myBlock->getJsObjectName()): ?>
     var radioBoxes = $H({});
     var warning = false;
@@ -70,13 +71,15 @@ require([
 <?php endif; ?>
 
 });
-    function deleteUserAccount(message, url, objId) {
-        if (jQuery.validator.validateElement(jQuery('[name="current_password"]'))) {
-            postData = {'data' : {
-                'user_id': objId,
-                'current_password': jQuery('[name="current_password"]').val()
-            }}
-            deleteConfirm(message, url, postData);
+</script>
+<script type="text/x-magento-init">
+    {
+        "[data-role=delete-user]" : {
+            "deleteUserAccount" : {
+                "message": "<?php /* @escapeNotVerified */ echo $editBlock->getDeleteMessage(); ?>",
+                "url": "<?php /* @escapeNotVerified */ echo $editBlock->getDeleteUrl(); ?>",
+                "objId": "<?php /* @escapeNotVerified */ echo $editBlock->getObjectId(); ?>"
+            }
         }
     }
 </script>

app/code/Magento/User/view/adminhtml/web/js/delete-user-account.js

@@ -0,0 +1,17 @@
+define([
+    "jquery"
+], function($){
+
+    return function (params, elem) {
+
+        elem.on('click', function() {
+            if ($.validator.validateElement($('[name="current_password"]'))) {
+                postData = {'data' : {
+                    'user_id': params.objId,
+                    'current_password': $('[name="current_password"]').val()
+                }}
+                deleteConfirm(params.message, params.url, params.postData);
+            }
+        });
+    }
+});