MAGETWO-99591: Restricted admin cannot edit reviews from pending reviews grid

Author: Mastiuhin Olexandr

app/code/Magento/Review/Block/Adminhtml/Edit.php

@@ -186,7 +186,7 @@ protected function _construct()
                 ) . '\', ' . '\'' . $this->getUrl(
                     '*/*/delete',
                     [$this->_objectId => $this->getRequest()->getParam($this->_objectId), 'ret' => 'pending']
-                ) . '\'' . ')'
+                ) . '\', {data: {}})'
             );
             $this->_coreRegistry->register('ret', 'pending');
         }

app/code/Magento/Review/Controller/Adminhtml/Product.php

@@ -16,6 +16,11 @@
  */
 abstract class Product extends Action
 {
+    /**
+     * Authorization resource
+     */
+    public const ADMIN_RESOURCE = 'Magento_Review::reviews_all';
+
     /**
      * Array of actions which can be processed without secret key validation
      *
@@ -61,12 +66,4 @@ public function __construct(
         $this->ratingFactory = $ratingFactory;
         parent::__construct($context);
     }
-
-    /**
-     * @inheritdoc
-     */
-    protected function _isAllowed()
-    {
-        return $this->_authorization->isAllowed('Magento_Review::reviews_all');
-    }
 }

app/code/Magento/Review/Controller/Adminhtml/Product/Delete.php

@@ -9,12 +9,11 @@
 use Magento\Review\Controller\Adminhtml\Product as ProductController;
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Review\Model\Review;
-use Magento\Framework\App\Action\HttpGetActionInterface;
 
 /**
  * Delete action.
  */
-class Delete extends ProductController implements HttpGetActionInterface, HttpPostActionInterface
+class Delete extends ProductController implements HttpPostActionInterface
 {
     /**
      * @var Review
@@ -55,7 +54,7 @@ public function execute()
      */
     protected function _isAllowed()
     {
-        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
+        if (parent::_isAllowed()) {
             return true;
         }
 
@@ -81,7 +80,7 @@ protected function _isAllowed()
      */
     private function getModel(): Review
     {
-        if (!$this->model) {
+        if ($this->model === null) {
             $this->model = $this->reviewFactory->create()
                 ->load($this->getRequest()->getParam('id', false));
         }

app/code/Magento/Review/Controller/Adminhtml/Product/Edit.php

@@ -41,7 +41,7 @@ public function execute()
      */
     protected function _isAllowed()
     {
-        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
+        if (parent::_isAllowed()) {
             return true;
         }
 
@@ -67,7 +67,7 @@ protected function _isAllowed()
      */
     private function getModel(): Review
     {
-        if (!$this->review) {
+        if ($this->review === null) {
             $this->review = $this->reviewFactory->create()
                 ->load($this->getRequest()->getParam('id', false));
         }

app/code/Magento/Review/Controller/Adminhtml/Product/MassDelete.php

@@ -85,7 +85,7 @@ public function execute()
      */
     protected function _isAllowed()
     {
-        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
+        if (parent::_isAllowed()) {
             return true;
         }
 
@@ -116,7 +116,7 @@ protected function _isAllowed()
      */
     private function getCollection(): Collection
     {
-        if (!$this->collection) {
+        if ($this->collection === null) {
             $collection = $this->collectionFactory->create();
             $collection->addFieldToFilter(
                 'main_table.' . $collection->getResource()

app/code/Magento/Review/Controller/Adminhtml/Product/MassUpdateStatus.php

@@ -89,20 +89,20 @@ public function execute()
      */
     protected function _isAllowed()
     {
-        if (!$this->_authorization->isAllowed('Magento_Review::pending')) {
-            return false;
+        if (parent::_isAllowed()) {
+            return true;
         }
 
-        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
-            return true;
+        if (!$this->_authorization->isAllowed('Magento_Review::pending')) {
+            return false;
         }
 
         foreach ($this->getCollection() as $model) {
             if ($model->getStatusId() != Review::STATUS_PENDING) {
                 $this->messageManager->addErrorMessage(
                     __(
-                        'Sorry, You have not permission to do this.'
-                        . ' One or more of the reviews are not in Pending Status.'
+                        'Sorry, You have not permission to do this. '
+                        . 'One or more of the reviews are not in Pending Status.'
                     )
                 );
 
@@ -120,7 +120,7 @@ protected function _isAllowed()
      */
     private function getCollection(): Collection
     {
-        if (!$this->collection) {
+        if ($this->collection === null) {
             $collection = $this->collectionFactory->create();
             $collection->addFieldToFilter(
                 'main_table.' . $collection->getResource()

app/code/Magento/Review/Controller/Adminhtml/Product/Pending.php

@@ -8,11 +8,12 @@
 use Magento\Review\Controller\Adminhtml\Product as ProductController;
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
 /**
  * Pending reviews grid.
  */
-class Pending extends ProductController implements HttpGetActionInterface
+class Pending extends ProductController implements HttpGetActionInterface, HttpPostActionInterface
 {
     /**
      * Execute action.

app/code/Magento/Review/Controller/Adminhtml/Product/ReviewGrid.php

@@ -14,11 +14,12 @@
 use Magento\Framework\Controller\ResultFactory;
 use Magento\Framework\App\Request\Http;
 use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
 /**
  * Review grid.
  */
-class ReviewGrid extends ProductController implements HttpGetActionInterface
+class ReviewGrid extends ProductController implements HttpGetActionInterface, HttpPostActionInterface
 {
     /**
      * @var \Magento\Framework\View\LayoutFactory

app/code/Magento/Review/Controller/Adminhtml/Product/Save.php

@@ -105,12 +105,12 @@ public function execute()
      */
     protected function _isAllowed()
     {
-        if (!$this->_authorization->isAllowed('Magento_Review::pending')) {
-            return  false;
+        if (parent::_isAllowed()) {
+            return true;
         }
 
-        if ($this->_authorization->isAllowed('Magento_Review::reviews_all')) {
-            return true;
+        if (!$this->_authorization->isAllowed('Magento_Review::pending')) {
+            return  false;
         }
 
         if ($this->getModel()->getStatusId() != Review::STATUS_PENDING) {

dev/tests/integration/testsuite/Magento/Review/Controller/Adminhtml/Product/EditTest.php

@@ -42,7 +42,7 @@ class EditTest extends AbstractBackendController
     private $collectionFactory;
 
     /**
-     * @inheritDoc
+     * @inheritdoc
      */
     protected function setUp()
     {
@@ -84,7 +84,7 @@ public function testAclNoAccess(): void
     {
         // Exclude resource from ACL.
         $this->resource = ['Magento_Review::reviews_all', 'Magento_Review::pending'];
-        $this->uri = 'backend/review/product/edit/id/' . 'doesnt matter';
+        $this->uri = 'backend/review/product/edit/id/' . 'doesn\'t matter';
 
         parent::testAclNoAccess();
     }