MAGETWO-50611: [Github][Security] WebAPIs allow anonymous access

Hayder Sharhan · Hayder Sharhan · commit ad35c5076c0c · 2016-03-22T15:38:49.000-05:00
- Changed the way di argument is structured.
- Changed the acl node for some services.
- Revised README
diff --git a/app/code/Magento/Catalog/etc/webapi.xml b/app/code/Magento/Catalog/etc/webapi.xml
@@ -97,19 +97,19 @@
     <route url="/V1/products/types" method="GET">
         <service class="Magento\Catalog\Api\ProductTypeListInterface" method="getProductTypes"/>
         <resources>
-            <resource ref="Magento_Catalog::attributes_attributes"/>
+            <resource ref="Magento_Catalog::products"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/sets/list" method="GET">
         <service class="Magento\Catalog\Api\AttributeSetRepositoryInterface" method="getList"/>
         <resources>
-            <resource ref="Magento_Catalog::attributes_attributes"/>
+            <resource ref="Magento_Catalog::sets"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/:attributeSetId" method="GET">
         <service class="Magento\Catalog\Api\AttributeSetRepositoryInterface" method="get"/>
         <resources>
-            <resource ref="Magento_Catalog::attributes_attributes"/>
+            <resource ref="Magento_Catalog::sets"/>
         </resources>
     </route>
     <route url="/V1/products/attribute-sets/:attributeSetId" method="DELETE">
@@ -175,7 +175,7 @@
     <route url="/V1/products/attributes/:attributeCode/options" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeOptionManagementInterface" method="getItems"/>
         <resources>
-            <resource ref="Magento_Catalog::sets" />
+            <resource ref="Magento_Catalog::attributes_attributes" />
         </resources>
     </route>
     <route url="/V1/products/attributes/:attributeCode/options" method="POST">
@@ -199,7 +199,7 @@
     <route url="/V1/products/:sku/media/:entryId" method="GET">
         <service class="Magento\Catalog\Api\ProductAttributeMediaGalleryManagementInterface" method="get"/>
         <resources>
-            <resource ref="Magento_Catalog::catalog"/>
+            <resource ref="Magento_Catalog::attributes_attributes"/>
         </resources>
     </route>
     <route url="/V1/products/:sku/media" method="POST">
diff --git a/app/code/Magento/WebapiSecurity/Model/Plugin/AnonymousResourceSecurity.php b/app/code/Magento/WebapiSecurity/Model/Plugin/AnonymousResourceSecurity.php
@@ -51,7 +51,8 @@ public function afterConvert(Converter $subject, $nodes)
         }
         $useInsecure = $this->config->getValue(self::XML_ALLOW_INSECURE);
         if ($useInsecure) {
-            foreach ($this->resources as $route => $requestType) {
+            foreach (array_keys($this->resources) as $resource) {
+                list($route, $requestType) = explode("::", $resource);
                 if ($result = $this->getNode($route, $requestType, $nodes["routes"])) {
                     if (isset($result[$requestType]['resources'])) {
                         $result[$requestType]['resources'] = ['anonymous' => true];
diff --git a/app/code/Magento/WebapiSecurity/README.md b/app/code/Magento/WebapiSecurity/README.md
@@ -2,5 +2,5 @@
 
 **WebapiSecurity** enables access management of some Web API resources.
 If checkbox is enabled in backend through: Stores -> Configuration -> Services -> Magento Web API -> Web Api Security
-then the security of all of the services outlined in app/code/Magento/WebapiSecurity/etc/di.xml would be loosened. You may modify these services to customize.
+then the security of all of the services outlined in app/code/Magento/WebapiSecurity/etc/di.xml would be loosened. You may modify this list to customize which services should follow this behavior.
 By loosening the security, these services would allow access anonymously (by anyone).
diff --git a/app/code/Magento/WebapiSecurity/etc/di.xml b/app/code/Magento/WebapiSecurity/etc/di.xml
@@ -16,37 +16,37 @@
     <type name="Magento\WebapiSecurity\Model\Plugin\AnonymousResourceSecurity">
         <arguments>
             <argument name="resources" xsi:type="array">
-                <item name="/V1/products" xsi:type="string">GET</item>
-                <item name="/V1/products/:sku" xsi:type="string">GET</item>
-                <item name="/V1/products/attributes/:attributeCode" xsi:type="string">GET</item>
-                <item name="/V1/products/types" xsi:type="string">GET</item>
-                <item name="/V1/products/attribute-sets/sets/list" xsi:type="string">GET</item>
-                <item name="/V1/products/attribute-sets/:attributeSetId" xsi:type="string">GET</item>
-                <item name="/V1/products/attribute-sets/:attributeSetId/attributes" xsi:type="string">GET</item>
-                <item name="/V1/products/attribute-sets/groups/list" xsi:type="string">GET</item>
-                <item name="/V1/products/attributes/:attributeCode/options" xsi:type="string">GET</item>
-                <item name="/V1/products/media/types/:attributeSetName" xsi:type="string">GET</item>
-                <item name="/V1/products/:sku/media/:entryId" xsi:type="string">GET</item>
-                <item name="/V1/products/:sku/media" xsi:type="string">GET</item>
-                <item name="/V1/products/:sku/group-prices/:customerGroupId/tiers" xsi:type="string">GET</item>
-                <item name="/V1/categories/:categoryId" xsi:type="string">GET</item>
-                <item name="/V1/categories" xsi:type="string">GET</item>
-                <item name="/V1/products/:sku/options" xsi:type="string">GET</item>
-                <item name="/V1/products/:sku/options/:optionId" xsi:type="string">GET</item>
-                <item name="/V1/products/links/types" xsi:type="string">GET</item>
-                <item name="/V1/products/links/:type/attributes" xsi:type="string">GET</item>
-                <item name="/V1/products/:sku/links/:type" xsi:type="string">GET</item>
-                <item name="/V1/categories/:categoryId/products" xsi:type="string">GET</item>
-                <item name="/V1/stockStatuses/:productSku" xsi:type="string">GET</item>
-                <item name="/V1/configurable-products/:sku/children" xsi:type="string">GET</item>
-                <item name="/V1/configurable-products/:sku/options/:id" xsi:type="string">GET</item>
-                <item name="/V1/configurable-products/:sku/options/all" xsi:type="string">GET</item>
-                <item name="/V1/cmsPage/:pageId" xsi:type="string">GET</item>
-                <item name="/V1/cmsBlock/:blockId" xsi:type="string">GET</item>
-                <item name="/V1/store/storeViews" xsi:type="string">GET</item>
-                <item name="/V1/store/storeGroups" xsi:type="string">GET</item>
-                <item name="/V1/store/websites" xsi:type="string">GET</item>
-                <item name="/V1/store/storeConfigs" xsi:type="string">GET</item>
+                <item name="/V1/products::GET" xsi:type="string"/>
+                <item name="/V1/products/:sku::GET" xsi:type="string"/>
+                <item name="/V1/products/attributes/:attributeCode::GET" xsi:type="string"/>
+                <item name="/V1/products/types::GET" xsi:type="string"/>
+                <item name="/V1/products/attribute-sets/sets/list::GET" xsi:type="string"/>
+                <item name="/V1/products/attribute-sets/:attributeSetId::GET" xsi:type="string"/>
+                <item name="/V1/products/attribute-sets/:attributeSetId/attributes::GET" xsi:type="string"/>
+                <item name="/V1/products/attribute-sets/groups/list::GET" xsi:type="string"/>
+                <item name="/V1/products/attributes/:attributeCode/options::GET" xsi:type="string"/>
+                <item name="/V1/products/media/types/:attributeSetName::GET" xsi:type="string"/>
+                <item name="/V1/products/:sku/media/:entryId::GET" xsi:type="string"/>
+                <item name="/V1/products/:sku/media::GET" xsi:type="string"/>
+                <item name="/V1/products/:sku/group-prices/:customerGroupId/tiers::GET" xsi:type="string"/>
+                <item name="/V1/categories/:categoryId::GET" xsi:type="string"/>
+                <item name="/V1/categories::GET" xsi:type="string"/>
+                <item name="/V1/products/:sku/options::GET" xsi:type="string"/>
+                <item name="/V1/products/:sku/options/:optionId::GET" xsi:type="string"/>
+                <item name="/V1/products/links/types::GET" xsi:type="string"/>
+                <item name="/V1/products/links/:type/attributes::GET" xsi:type="string"/>
+                <item name="/V1/products/:sku/links/:type::GET" xsi:type="string"/>
+                <item name="/V1/categories/:categoryId/products::GET" xsi:type="string"/>
+                <item name="/V1/stockStatuses/:productSku::GET" xsi:type="string"/>
+                <item name="/V1/configurable-products/:sku/children::GET" xsi:type="string"/>
+                <item name="/V1/configurable-products/:sku/options/:id::GET" xsi:type="string"/>
+                <item name="/V1/configurable-products/:sku/options/all::GET" xsi:type="string"/>
+                <item name="/V1/cmsPage/:pageId::GET" xsi:type="string"/>
+                <item name="/V1/cmsBlock/:blockId::GET" xsi:type="string"/>
+                <item name="/V1/store/storeViews::GET" xsi:type="string"/>
+                <item name="/V1/store/storeGroups::GET" xsi:type="string"/>
+                <item name="/V1/store/websites::GET" xsi:type="string"/>
+                <item name="/V1/store/storeConfigs::GET" xsi:type="string"/>
             </argument>
         </arguments>
     </type>
