MAGETWO-71119: Failure to check admin permissions leads to information disclosure

OlgaVasyltsun · OlgaVasyltsun · commit a47adae63fef · 2018-03-16T15:28:35.000+02:00
diff --git a/app/code/Magento/Ui/Controller/Adminhtml/Export/GridToCsv.php b/app/code/Magento/Ui/Controller/Adminhtml/Export/GridToCsv.php
@@ -9,6 +9,9 @@
 use Magento\Backend\App\Action\Context;
 use Magento\Ui\Model\Export\ConvertToCsv;
 use Magento\Framework\App\Response\Http\FileFactory;
+use Magento\Framework\App\ObjectManager;
+use Magento\Ui\Component\MassAction\Filter;
+use Psr\Log\LoggerInterface;
 
 /**
  * Class Render
@@ -25,19 +28,35 @@ class GridToCsv extends Action
      */
     protected $fileFactory;
 
+    /**
+     * @var Filter
+     */
+    private $filter;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     /**
      * @param Context $context
      * @param ConvertToCsv $converter
      * @param FileFactory $fileFactory
+     * @param Filter|null $filter
+     * @param LoggerInterface|null $logger
      */
     public function __construct(
         Context $context,
         ConvertToCsv $converter,
-        FileFactory $fileFactory
+        FileFactory $fileFactory,
+        Filter $filter = null,
+        LoggerInterface $logger = null
     ) {
         parent::__construct($context);
         $this->converter = $converter;
         $this->fileFactory = $fileFactory;
+        $this->filter = $filter ?: ObjectManager::getInstance()->get(Filter::class);
+        $this->logger = $logger ?: ObjectManager::getInstance()->get(LoggerInterface::class);
     }
 
     /**
@@ -50,4 +69,33 @@ public function execute()
     {
         return $this->fileFactory->create('export.csv', $this->converter->getCsvFile(), 'var');
     }
+
+    /**
+     * Checking if the user has access to requested component.
+     *
+     * @inheritDoc
+     */
+    protected function _isAllowed()
+    {
+        if ($this->_request->getParam('namespace')) {
+            try {
+                $component = $this->filter->getComponent();
+                $dataProviderConfig = $component->getContext()
+                    ->getDataProvider()
+                    ->getConfigData();
+                if (isset($dataProviderConfig['aclResource'])) {
+
+                    return $this->_authorization->isAllowed(
+                        $dataProviderConfig['aclResource']
+                    );
+                }
+            } catch (\Throwable $exception) {
+                $this->logger->critical($exception);
+
+                return false;
+            }
+        }
+
+        return true;
+    }
 }
diff --git a/app/code/Magento/Ui/Controller/Adminhtml/Export/GridToXml.php b/app/code/Magento/Ui/Controller/Adminhtml/Export/GridToXml.php
@@ -9,6 +9,9 @@
 use Magento\Backend\App\Action\Context;
 use Magento\Ui\Model\Export\ConvertToXml;
 use Magento\Framework\App\Response\Http\FileFactory;
+use Magento\Framework\App\ObjectManager;
+use Magento\Ui\Component\MassAction\Filter;
+use Psr\Log\LoggerInterface;
 
 /**
  * Class Render
@@ -25,19 +28,35 @@ class GridToXml extends Action
      */
     protected $fileFactory;
 
+    /**
+     * @var Filter
+     */
+    private $filter;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     /**
      * @param Context $context
      * @param ConvertToXml $converter
      * @param FileFactory $fileFactory
+     * @param Filter|null $filter
+     * @param LoggerInterface|null $logger
      */
     public function __construct(
         Context $context,
         ConvertToXml $converter,
-        FileFactory $fileFactory
+        FileFactory $fileFactory,
+        Filter $filter = null,
+        LoggerInterface $logger = null
     ) {
         parent::__construct($context);
         $this->converter = $converter;
         $this->fileFactory = $fileFactory;
+        $this->filter = $filter ?: ObjectManager::getInstance()->get(Filter::class);
+        $this->logger = $logger ?: ObjectManager::getInstance()->get(LoggerInterface::class);
     }
 
     /**
@@ -50,4 +69,33 @@ public function execute()
     {
         return $this->fileFactory->create('export.xml', $this->converter->getXmlFile(), 'var');
     }
+
+    /**
+     * Checking if the user has access to requested component.
+     *
+     * @inheritDoc
+     */
+    protected function _isAllowed()
+    {
+        if ($this->_request->getParam('namespace')) {
+            try {
+                $component = $this->filter->getComponent();
+                $dataProviderConfig = $component->getContext()
+                    ->getDataProvider()
+                    ->getConfigData();
+                if (isset($dataProviderConfig['aclResource'])) {
+
+                    return $this->_authorization->isAllowed(
+                        $dataProviderConfig['aclResource']
+                    );
+                }
+            } catch (\Throwable $exception) {
+                $this->logger->critical($exception);
+
+                return false;
+            }
+        }
+
+        return true;
+    }
 }
