Merge remote-tracking branch 'trigger/MAGETWO-95363' into 2.3.0-qwerty-bugs

cpartica · cpartica · commit b3a1a4528266 · 2018-10-18T19:04:59.000-05:00
diff --git a/app/code/Magento/Ui/Controller/Adminhtml/Index/Render/Handle.php b/app/code/Magento/Ui/Controller/Adminhtml/Index/Render/Handle.php
@@ -10,33 +10,88 @@
 use Magento\Ui\Component\Control\ActionPool;
 use Magento\Ui\Component\Wrapper\UiComponent;
 use Magento\Ui\Controller\Adminhtml\AbstractAction;
+use Magento\Backend\App\Action\Context;
+use Magento\Framework\View\Element\UiComponentFactory;
+use Magento\Framework\View\Element\UiComponent\ContextFactory;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Class Handle
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Handle extends AbstractAction implements HttpGetActionInterface
 {
+    /**
+     * @var ContextFactory
+     */
+    private $contextFactory;
+
+    /**
+     * @param Context $context
+     * @param UiComponentFactory $factory
+     * @param ContextFactory|null $contextFactory
+     */
+    public function __construct(
+        Context $context,
+        UiComponentFactory $factory,
+        ContextFactory $contextFactory = null
+    ) {
+        parent::__construct($context, $factory);
+        $this->contextFactory = $contextFactory
+            ?: ObjectManager::getInstance()->get(ContextFactory::class);
+    }
+
     /**
      * Render UI component by namespace in handle context
      *
      * @return void
      */
     public function execute()
     {
+        $response = '';
         $handle = $this->_request->getParam('handle');
         $namespace = $this->_request->getParam('namespace');
         $buttons = $this->_request->getParam('buttons', false);
-
         $this->_view->loadLayout(['default', $handle], true, true, false);
+        $layout = $this->_view->getLayout();
+        $context = $this->contextFactory->create(
+            [
+                'namespace' => $namespace,
+                'pageLayout' => $layout
+            ]
+        );
 
-        $uiComponent = $this->_view->getLayout()->getBlock($namespace);
-        $response = $uiComponent instanceof UiComponent ? $uiComponent->toHtml() : '';
+        $component = $this->factory->create($namespace, null, ['context' => $context]);
+        if ($this->validateAclResource($component->getContext()->getDataProvider()->getConfigData())) {
+            $uiComponent = $layout->getBlock($namespace);
+            $response = $uiComponent instanceof UiComponent ? $uiComponent->toHtml() : '';
+        }
 
         if ($buttons) {
-            $actionsToolbar = $this->_view->getLayout()->getBlock(ActionPool::ACTIONS_PAGE_TOOLBAR);
+            $actionsToolbar = $layout->getBlock(ActionPool::ACTIONS_PAGE_TOOLBAR);
             $response .= $actionsToolbar instanceof Template ? $actionsToolbar->toHtml() : '';
         }
 
         $this->_response->appendBody($response);
     }
+
+    /**
+     * Optionally validate ACL resource of components with a DataSource/DataProvider
+     *
+     * @param mixed $dataProviderConfigData
+     * @return bool
+     */
+    private function validateAclResource($dataProviderConfigData)
+    {
+        if (isset($dataProviderConfigData['aclResource'])
+            && !$this->_authorization->isAllowed($dataProviderConfigData['aclResource'])
+        ) {
+            if (!$this->_request->isAjax()) {
+                $this->_redirect('admin/denied');
+            }
+            return false;
+        }
+
+        return true;
+    }
 }
diff --git a/app/code/Magento/Ui/Test/Unit/Controller/Adminhtml/Index/Render/HandleTest.php b/app/code/Magento/Ui/Test/Unit/Controller/Adminhtml/Index/Render/HandleTest.php
@@ -6,7 +6,11 @@
 namespace Magento\Ui\Test\Unit\Controller\Adminhtml\Index\Render;
 
 use Magento\Ui\Controller\Adminhtml\Index\Render\Handle;
+use Magento\Framework\View\Element\UiComponent\ContextInterface;
 
+/**
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class HandleTest extends \PHPUnit\Framework\TestCase
 {
     /**
@@ -27,22 +31,42 @@ class HandleTest extends \PHPUnit\Framework\TestCase
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $componentFactoryMock;
+    protected $viewMock;
+
+    /**
+     * @var Handle
+     */
+    protected $controller;
+
+    /**
+     * @var \Magento\Framework\AuthorizationInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $authorizationMock;
 
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $viewMock;
+    private $uiComponentContextMock;
 
     /**
-     * @var Handle
+     * @var \Magento\Framework\View\Element\UiComponentInterface|\PHPUnit_Framework_MockObject_MockObject
      */
-    protected $controller;
+    private $uiComponentMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    private $uiFactoryMock;
+
+    /**
+     * @var \Magento\Framework\View\Element\UiComponent\DataProvider\DataProviderInterface|
+     *      \PHPUnit_Framework_MockObject_MockObject
+     */
+    private $dataProviderMock;
 
     public function setUp()
     {
         $this->contextMock = $this->createMock(\Magento\Backend\App\Action\Context::class);
-        $this->componentFactoryMock = $this->createMock(\Magento\Framework\View\Element\UiComponentFactory::class);
 
         $this->requestMock = $this->createMock(\Magento\Framework\App\RequestInterface::class);
         $this->contextMock->expects($this->atLeastOnce())->method('getRequest')->willReturn($this->requestMock);
@@ -52,8 +76,37 @@ public function setUp()
 
         $this->viewMock = $this->createMock(\Magento\Framework\App\ViewInterface::class);
         $this->contextMock->expects($this->atLeastOnce())->method('getView')->willReturn($this->viewMock);
-
-        $this->controller = new Handle($this->contextMock, $this->componentFactoryMock);
+        $this->authorizationMock = $this->getMockBuilder(\Magento\Framework\AuthorizationInterface::class)
+            ->getMockForAbstractClass();
+        $this->authorizationMock->expects($this->any())
+            ->method('isAllowed')
+            ->willReturn(true);
+        $this->uiComponentContextMock = $this->getMockForAbstractClass(
+            ContextInterface::class
+        );
+        $this->uiComponentMock = $this->getMockForAbstractClass(
+            \Magento\Framework\View\Element\UiComponentInterface::class
+        );
+        $this->dataProviderMock = $this->getMockForAbstractClass(
+            \Magento\Framework\View\Element\UiComponent\DataProvider\DataProviderInterface::class
+        );
+        $this->uiComponentContextMock->expects($this->once())
+            ->method('getDataProvider')
+            ->willReturn($this->dataProviderMock);
+        $this->uiFactoryMock = $this->getMockBuilder(\Magento\Framework\View\Element\UiComponentFactory::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->uiComponentMock->expects($this->any())
+            ->method('getContext')
+            ->willReturn($this->uiComponentContextMock);
+        $this->uiFactoryMock->expects($this->any())
+            ->method('create')
+            ->willReturn($this->uiComponentMock);
+        $this->dataProviderMock->expects($this->once())
+            ->method('getConfigData')
+            ->willReturn([]);
+        $contextMock = $this->createMock(\Magento\Framework\View\Element\UiComponent\ContextFactory::class);
+        $this->controller = new Handle($this->contextMock, $this->uiFactoryMock, $contextMock);
     }
 
     public function testExecuteNoButtons()
@@ -83,7 +136,7 @@ public function testExecute()
             ->with(['default', $result], true, true, false);
 
         $layoutMock = $this->createMock(\Magento\Framework\View\LayoutInterface::class);
-        $this->viewMock->expects($this->exactly(2))->method('getLayout')->willReturn($layoutMock);
+        $this->viewMock->expects($this->once())->method('getLayout')->willReturn($layoutMock);
 
         $layoutMock->expects($this->exactly(2))->method('getBlock');
 
diff --git a/dev/tests/integration/testsuite/Magento/Ui/Controller/Adminhtml/Index/Renderer/HandleTest.php b/dev/tests/integration/testsuite/Magento/Ui/Controller/Adminhtml/Index/Renderer/HandleTest.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Ui\Controller\Adminhtml\Index\Renderer;
+
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\Framework\AuthorizationInterface;
+
+/**
+ * @magentoAppArea adminhtml
+ */
+class HandleTest extends \Magento\TestFramework\TestCase\AbstractBackendController
+{
+    /**
+     * @magentoDataFixture  Magento/Customer/_files/customer.php
+     */
+    public function testExecuteWhenUserDoesNotHavePermission()
+    {
+        Bootstrap::getObjectManager()->configure([
+            'preferences' => [
+                AuthorizationInterface::class => \Magento\Ui\Model\AuthorizationMock::class
+            ]
+        ]);
+        $this->getRequest()->setParam('handle', 'customer_index_index');
+        $this->getRequest()->setParam('namespace', 'customer_listing');
+        $this->getRequest()->setParam('sorting%5Bfield%5D', 'entity_id');
+        $this->getRequest()->setParam('paging%5BpageSize%5D', 20);
+        $this->getRequest()->setParam('isAjax', 1);
+        $this->dispatch('backend/mui/index/render_handle');
+        $output = $this->getResponse()->getBody();
+        $this->assertEmpty($output, 'The acl restriction wasn\'t applied properly');
+    }
+
+    /**
+     * @magentoDataFixture  Magento/Customer/_files/customer.php
+     */
+    public function testExecuteWhenUserHasPermission()
+    {
+        $this->getRequest()->setParam('handle', 'customer_index_index');
+        $this->getRequest()->setParam('namespace', 'customer_listing');
+        $this->getRequest()->setParam('sorting%5Bfield%5D', 'entity_id');
+        $this->getRequest()->setParam('paging%5BpageSize%5D', 20);
+        $this->getRequest()->setParam('isAjax', 1);
+        $this->dispatch('backend/mui/index/render_handle');
+        $output = $this->getResponse()->getBody();
+        $this->assertNotEmpty($output, 'The acl restriction wasn\'t applied properly');
+    }
+}
diff --git a/dev/tests/integration/testsuite/Magento/Ui/Model/AuthorizationMock.php b/dev/tests/integration/testsuite/Magento/Ui/Model/AuthorizationMock.php
@@ -0,0 +1,27 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Ui\Model;
+
+/**
+ * Class AuthorizationMock
+ */
+class AuthorizationMock extends \Magento\Framework\Authorization
+{
+    /**
+     * Check current user permission on resource and privilege
+     *
+     * @param   string $resource
+     * @param   string $privilege
+     * @return  boolean
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function isAllowed($resource, $privilege = null)
+    {
+        return $resource !== 'Magento_Customer::manage';
+    }
+}
