MAGETWO-37228: abstract _isAllowed must perform authorization

Author: Dale Sikkema

app/code/Magento/Backend/App/AbstractAction.php

@@ -22,6 +22,11 @@ abstract class AbstractAction extends \Magento\Framework\App\Action\Action
      */
     const SESSION_NAMESPACE = 'adminhtml';
 
+    /**
+     * Authorization level of a basic admin session
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::admin';
+
     /**
      * Array of actions which can be processed without secret key validation
      *
@@ -76,10 +81,17 @@ abstract class AbstractAction extends \Magento\Framework\App\Action\Action
      */
     protected $_formKeyValidator;
 
+    /**
+     * Resource used to authorize access to the controller
+     *
+     * @var string
+     */
+    protected $resource;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      */
-    public function __construct(Action\Context $context)
+    public function __construct(Action\Context $context, $resource = '')
     {
         parent::__construct($context);
         $this->_authorization = $context->getAuthorization();
@@ -97,7 +109,7 @@ public function __construct(Action\Context $context)
      */
     protected function _isAllowed()
     {
-        return true;
+        return $this->_authorization->isAllowed($this->resource ?: self::ADMIN_RESOURCE);
     }
 
     /**