MAGETWO-56796: Any admin user can upload Favicon Icon

Cari Spruiell · Cari Spruiell · commit c3330a4ca21e · 2017-06-05T14:31:47.000-05:00
- made ACL resource more restrictive
diff --git a/app/code/Magento/Theme/Controller/Adminhtml/Design/Config/FileUploader/Save.php b/app/code/Magento/Theme/Controller/Adminhtml/Design/Config/FileUploader/Save.php
@@ -22,6 +22,11 @@ class Save extends Action
      */
     protected $fileProcessor;
 
+    /**
+     * Authorization level
+     */
+    const ADMIN_RESOURCE = 'Magento_Theme::theme';
+
     /**
      * @param Context $context
      * @param FileProcessor $fileProcessor
