Merge remote-tracking branch 'origin/MC-33765' into 2.4-develop-pr29

serhii-balko · serhii-balko · commit f630b4e83c33 · 2020-06-11T12:06:18.000+03:00
diff --git a/app/code/Magento/ConfigurableProduct/Block/DataProviders/PermissionsData.php b/app/code/Magento/ConfigurableProduct/Block/DataProviders/PermissionsData.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\ConfigurableProduct\Block\DataProviders;
+
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\View\Element\Block\ArgumentInterface;
+
+/**
+ * Provides permissions data into template.
+ */
+class PermissionsData implements ArgumentInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * Constructor
+     *
+     * @param AuthorizationInterface $authorization
+     */
+    public function __construct(AuthorizationInterface $authorization)
+    {
+        $this->authorization = $authorization;
+    }
+
+    /**
+     * Check that user is allowed to manage attributes
+     *
+     * @return bool
+     */
+    public function isAllowedToManageAttributes(): bool
+    {
+        return $this->authorization->isAllowed('Magento_Catalog::attributes_attributes');
+    }
+}
diff --git a/app/code/Magento/ConfigurableProduct/view/adminhtml/layout/catalog_product_wizard.xml b/app/code/Magento/ConfigurableProduct/view/adminhtml/layout/catalog_product_wizard.xml
@@ -48,6 +48,7 @@
                             <item name="modal" xsi:type="string">configurableModal</item>
                             <item name="dataScope" xsi:type="string">productFormConfigurable</item>
                         </argument>
+                        <argument name="permissions" xsi:type="object">Magento\ConfigurableProduct\Block\DataProviders\PermissionsData</argument>
                     </arguments>
                 </block>
                 <block class="Magento\ConfigurableProduct\Block\Adminhtml\Product\Steps\Bulk" name="step3" template="Magento_ConfigurableProduct::catalog/product/edit/attribute/steps/bulk.phtml">
diff --git a/app/code/Magento/ConfigurableProduct/view/adminhtml/templates/catalog/product/edit/attribute/steps/attributes_values.phtml b/app/code/Magento/ConfigurableProduct/view/adminhtml/templates/catalog/product/edit/attribute/steps/attributes_values.phtml
@@ -5,14 +5,18 @@
  */
 
 /* @var $block \Magento\ConfigurableProduct\Block\Adminhtml\Product\Steps\AttributeValues */
+$isAllowedToManageAttributes = $block->getPermissions()->isAllowedToManageAttributes();
+$attributesUrl = $block->getUrl('catalog/product_attribute/getAttributes');
+$optionsUrl = $block->getUrl('catalog/product_attribute/createOptions');
 ?>
 <div data-bind="scope: '<?= /* @noEscape */  $block->getComponentName() ?>'">
     <h2 class="steps-wizard-title"><?= $block->escapeHtml(
         __('Step 2: Attribute Values')
     ); ?></h2>
     <div class="steps-wizard-info">
         <span><?= $block->escapeHtml(
-            __('Select values from each attribute to include in this product. Each unique combination of values creates a unique product SKU.')
+            __('Select values from each attribute to include in this product. ' .
+                'Each unique combination of values creates a unique product SKU.')
         );?></span>
     </div>
     <div data-bind="foreach: attributes, sortableList: attributes">
@@ -72,7 +76,8 @@
                             <label data-bind="text: label, visible: label, attr:{for:id}"
                                    class="admin__field-label"></label>
                         </div>
-                        <div class="admin__field admin__field-create-new" data-bind="attr:{'data-role':id}, visible: !label">
+                        <div class="admin__field admin__field-create-new"
+                             data-bind="attr:{'data-role':id}, visible: !label">
                             <div class="admin__field-control">
                                 <input class="admin__control-text"
                                        name="label"
@@ -101,14 +106,14 @@
                     </li>
                 </ul>
             </fieldset>
-            <button class="action-create-new action-tertiary"
-                    type="button"
-                    data-action="addOption"
-                    data-bind="click: $parent.createOption, visible: canCreateOption">
-                <span><?= $block->escapeHtml(
-                    __('Create New Value')
-                ); ?></span>
-            </button>
+            <?php if ($isAllowedToManageAttributes): ?>
+                <button class="action-create-new action-tertiary"
+                        type="button"
+                        data-action="addOption"
+                        data-bind="click: $parent.createOption, visible: canCreateOption">
+                    <span><?= $block->escapeHtml(__('Create New Value')); ?></span>
+                </button>
+            <?php endif; ?>
         </div>
     </div>
 </div>
@@ -120,8 +125,8 @@
                     "<?= /* @noEscape */  $block->getComponentName() ?>": {
                         "component": "Magento_ConfigurableProduct/js/variations/steps/attributes_values",
                         "appendTo": "<?= /* @noEscape */  $block->getParentComponentName() ?>",
-                        "optionsUrl": "<?= /* @noEscape */  $block->getUrl('catalog/product_attribute/getAttributes') ?>",
-                        "createOptionsUrl": "<?= /* @noEscape */  $block->getUrl('catalog/product_attribute/createOptions') ?>"
+                        "optionsUrl": "<?= /* @noEscape */  $attributesUrl ?>",
+                        "createOptionsUrl": "<?= /* @noEscape */  $optionsUrl ?>"
                     }
                 }
             }
diff --git a/dev/tests/integration/testsuite/Magento/ConfigurableProduct/Block/Adminhtml/Product/Steps/AttributeValuesTest.php b/dev/tests/integration/testsuite/Magento/ConfigurableProduct/Block/Adminhtml/Product/Steps/AttributeValuesTest.php
@@ -0,0 +1,67 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\ConfigurableProduct\Block\Adminhtml\Product\Steps;
+
+use Magento\Backend\Model\Auth\Session;
+use Magento\ConfigurableProduct\Block\DataProviders\PermissionsData;
+use Magento\Framework\View\Layout;
+use Magento\Framework\View\LayoutInterface;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\User\Model\User;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @magentoAppArea adminhtml
+ * @magentoAppIsolation enabled
+ * @magentoDbIsolation enabled
+ */
+class AttributeValuesTest extends TestCase
+{
+    /**
+     * @magentoDataFixture Magento/ConfigurableProduct/_files/restricted_admin_with_catalog_permissions.php
+     */
+    public function testRestrictedUserNotAllowedToManageAttributes()
+    {
+        $user = Bootstrap::getObjectManager()->create(
+            User::class
+        )->loadByUsername(
+            'admincatalog_user'
+        );
+
+        /** @var $session Session */
+        $session = Bootstrap::getObjectManager()->get(
+            Session::class
+        );
+        $session->setUser($user);
+
+        /** @var $layout Layout */
+        $layout = Bootstrap::getObjectManager()->get(
+            LayoutInterface::class
+        );
+
+        /** @var \Magento\ConfigurableProduct\Block\Adminhtml\Product\Steps\AttributeValues */
+        $block = $layout->createBlock(
+            AttributeValues::class,
+            'step2',
+            [
+                'data' => [
+                    'config' => [
+                        'form' => 'product_form.product_form',
+                        'modal' => 'configurableModal',
+                        'dataScope' => 'productFormConfigurable',
+                    ],
+                    'permissions' => Bootstrap::getObjectManager()->get(PermissionsData::class)
+                ]
+            ]
+        );
+        $isAllowedToManageAttributes = $block->getPermissions()->isAllowedToManageAttributes();
+        $html = $block->toHtml();
+        $this->assertFalse($isAllowedToManageAttributes);
+        $this->assertStringNotContainsString('<button class="action-create-new action-tertiary"', $html);
+    }
+}
diff --git a/dev/tests/integration/testsuite/Magento/ConfigurableProduct/_files/restricted_admin_with_catalog_permissions.php b/dev/tests/integration/testsuite/Magento/ConfigurableProduct/_files/restricted_admin_with_catalog_permissions.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+use Magento\Authorization\Model\Acl\Role\Group;
+use Magento\Authorization\Model\RoleFactory;
+use Magento\Authorization\Model\Role;
+use Magento\Authorization\Model\Rules;
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\User\Model\User;
+
+/** @var Role $role */
+$role = Bootstrap::getObjectManager()->get(RoleFactory::class)->create();
+$role->setName('role_catalog_permissions');
+$role->setData('role_name', $role->getName());
+$role->setRoleType(Group::ROLE_TYPE);
+$role->setUserType((string)UserContextInterface::USER_TYPE_ADMIN);
+$role->save();
+
+/** @var $rule Rules */
+$rule = Bootstrap::getObjectManager()->create(Rules::class);
+$rule->setRoleId($role->getId())->setResources(['Magento_Catalog::catalog'])->saveRel();
+
+/** @var User $user */
+$user = Bootstrap::getObjectManager()->create(User::class);
+$user->setData(
+    [
+        'firstname' => 'firstname',
+        'lastname' => 'lastname',
+        'email' => 'admincatalog@example.com',
+        'username' => 'admincatalog_user',
+        'password' => 'admincatalog_password1',
+        'is_active' => 1,
+    ]
+);
+$user->setRoleId($role->getId())->save();
diff --git a/dev/tests/integration/testsuite/Magento/ConfigurableProduct/_files/restricted_admin_with_catalog_permissions_rollback.php b/dev/tests/integration/testsuite/Magento/ConfigurableProduct/_files/restricted_admin_with_catalog_permissions_rollback.php
@@ -0,0 +1,28 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+use Magento\Authorization\Model\Role;
+use Magento\Authorization\Model\RoleFactory;
+use Magento\Authorization\Model\Rules;
+use Magento\Authorization\Model\RulesFactory;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\User\Model\User;
+
+// Deleting the user and the role.
+/** @var User $user */
+$user = Bootstrap::getObjectManager()->create(User::class);
+$user->loadByUsername('admincatalog_user')->delete();
+/** @var Role $role */
+$role = Bootstrap::getObjectManager()->get(RoleFactory::class)->create();
+$role->load('role_catalog_permissions', 'role_name');
+if ($role->getId()) {
+    /** @var Rules $rules */
+    $rules = Bootstrap::getObjectManager()->get(RulesFactory::class)->create();
+    $rules->load($role->getId(), 'role_id');
+    $rules->delete();
+    $role->delete();
+}
