Merge branch '2.4.8-beta1-develop' into cia-2.4.8-beta1-develop-bugfix-07032024

pawan-adobe-security · pawan-adobe-security · commit ff97b7e3802e · 2024-07-03T14:28:13.000+05:30
diff --git a/app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorInfo.php b/app/code/Magento/Catalog/Model/Product/Option/Type/File/ValidatorInfo.php
@@ -49,6 +49,7 @@ class ValidatorInfo extends Validator
      * @var IoFile
      */
     private $ioFile;
+
     /**
      * @var NotProtectedExtension
      */
@@ -147,12 +148,14 @@ private function validatePath(array $optionValuePath): bool
     {
         foreach ([$optionValuePath['quote_path'], $optionValuePath['order_path']] as $path) {
             $pathInfo = $this->ioFile->getPathInfo($path);
-            if (isset($pathInfo['extension'])) {
-                if (!$this->fileValidator->isValid($pathInfo['extension'])) {
-                    return false;
-                }
+
+            if (isset($pathInfo['extension'])
+                && (empty($pathInfo['extension']) || !$this->fileValidator->isValid($pathInfo['extension']))
+            ) {
+                return false;
             }
         }
+
         return true;
     }
 
diff --git a/app/code/Magento/Newsletter/Controller/Adminhtml/Queue.php b/app/code/Magento/Newsletter/Controller/Adminhtml/Queue.php
@@ -18,5 +18,16 @@ abstract class Queue extends \Magento\Backend\App\Action
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Newsletter::queue';
+    public const ADMIN_RESOURCE = 'Magento_Newsletter::queue';
+
+    /**
+     * Checks the acl permission
+     *
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return ($this->_authorization->isAllowed(self::ADMIN_RESOURCE) &&
+            $this->_authorization->isAllowed('Magento_Newsletter::template'));
+    }
 }
diff --git a/app/code/Magento/Reports/Controller/Adminhtml/Report/Sales.php b/app/code/Magento/Reports/Controller/Adminhtml/Report/Sales.php
@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 /**
  * Sales report admin controller
@@ -13,6 +14,7 @@
 
 /**
  * @SuppressWarnings(PHPMD.NumberOfChildren)
+ * phpcs:disable Magento2.Classes.AbstractApi
  * @api
  * @since 100.0.2
  */
@@ -37,31 +39,23 @@ public function _initAction()
      */
     protected function _isAllowed()
     {
-        switch ($this->getRequest()->getActionName()) {
-            case 'sales':
-                return $this->_authorization->isAllowed('Magento_Reports::salesroot_sales');
-                break;
-            case 'tax':
-                return $this->_authorization->isAllowed('Magento_Reports::tax');
-                break;
-            case 'shipping':
-                return $this->_authorization->isAllowed('Magento_Reports::shipping');
-                break;
-            case 'invoiced':
-                return $this->_authorization->isAllowed('Magento_Reports::invoiced');
-                break;
-            case 'refunded':
-                return $this->_authorization->isAllowed('Magento_Reports::refunded');
-                break;
-            case 'coupons':
-                return $this->_authorization->isAllowed('Magento_Reports::coupons');
-                break;
-            case 'bestsellers':
-                return $this->_authorization->isAllowed('Magento_Reports::bestsellers');
-                break;
-            default:
-                return $this->_authorization->isAllowed('Magento_Reports::salesroot');
-                break;
-        }
+        return match (strtolower($this->getRequest()->getActionName())) {
+            'exportsalescsv', 'exportsalesexcel', 'sales' =>
+                $this->_authorization->isAllowed('Magento_Reports::salesroot_sales'),
+            'exporttaxcsv', 'exporttaxexcel', 'tax' =>
+                $this->_authorization->isAllowed('Magento_Reports::tax'),
+            'exportshippingcsv', 'exportshippingexcel', 'shipping' =>
+                $this->_authorization->isAllowed('Magento_Reports::shipping'),
+            'exportinvoicedcsv', 'exportinvoicedexcel', 'invoiced' =>
+                $this->_authorization->isAllowed('Magento_Reports::invoiced'),
+            'exportrefundedcsv', 'exportrefundedexcel', 'refunded' =>
+                $this->_authorization->isAllowed('Magento_Reports::refunded'),
+            'exportcouponscsv', 'exportcouponsexcel', 'coupons' =>
+                $this->_authorization->isAllowed('Magento_Reports::coupons'),
+            'exportbestsellerscsv', 'exportbestsellersexcel', 'bestsellers' =>
+                $this->_authorization->isAllowed('Magento_Reports::bestsellers'),
+            default =>
+                $this->_authorization->isAllowed('Magento_Reports::salesroot'),
+        };
     }
 }
diff --git a/app/code/Magento/Sales/Block/Adminhtml/Order/View.php b/app/code/Magento/Sales/Block/Adminhtml/Order/View.php
@@ -16,29 +16,21 @@
 class View extends \Magento\Backend\Block\Widget\Form\Container
 {
     /**
-     * Block group
-     *
      * @var string
      */
     protected $_blockGroup = 'Magento_Sales';
 
     /**
-     * Core registry
-     *
      * @var \Magento\Framework\Registry
      */
     protected $_coreRegistry = null;
 
     /**
-     * Sales config
-     *
      * @var \Magento\Sales\Model\Config
      */
     protected $_salesConfig;
 
     /**
-     * Reorder helper
-     *
      * @var \Magento\Sales\Helper\Reorder
      */
     protected $_reorderHelper;
@@ -121,7 +113,7 @@ protected function _construct()
             );
         }
 
-        if ($this->_isAllowedAction('Magento_Sales::emails') && !$order->isCanceled()) {
+        if ($this->_isAllowedAction('Magento_Sales::email') && !$order->isCanceled()) {
             $message = __('Are you sure you want to send an order email to customer?');
             $this->addButton(
                 'send_notification',
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Cancel.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Cancel.php
@@ -6,15 +6,16 @@
 namespace Magento\Sales\Controller\Adminhtml\Order\Creditmemo;
 
 use Magento\Backend\App\Action;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
-class Cancel extends \Magento\Backend\App\Action
+class Cancel extends \Magento\Backend\App\Action implements HttpPostActionInterface
 {
     /**
      * Authorization level of a basic admin session
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Backend\Model\View\Result\ForwardFactory
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/NewAction.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/NewAction.php
@@ -15,7 +15,7 @@ class NewAction extends \Magento\Backend\App\Action implements HttpGetActionInte
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Save.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Save.php
@@ -18,7 +18,7 @@ class Save extends \Magento\Backend\App\Action implements HttpPostActionInterfac
      *
      * @see _isAllowed()
      */
-    public const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Start.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/Start.php
@@ -14,7 +14,7 @@ class Start extends \Magento\Backend\App\Action implements HttpGetActionInterfac
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * Start create creditmemo action
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/UpdateQty.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/UpdateQty.php
@@ -15,7 +15,7 @@ class UpdateQty extends \Magento\Backend\App\Action implements HttpPostActionInt
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/VoidAction.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/VoidAction.php
@@ -6,15 +6,16 @@
 namespace Magento\Sales\Controller\Adminhtml\Order\Creditmemo;
 
 use Magento\Backend\App\Action;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
-class VoidAction extends Action
+class VoidAction extends Action implements HttpPostActionInterface
 {
     /**
      * Authorization level of a basic admin session
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';
+    public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';
 
     /**
      * @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader
diff --git a/app/code/Magento/Sales/ViewModel/Order/Create/SidebarPermissionCheck.php b/app/code/Magento/Sales/ViewModel/Order/Create/SidebarPermissionCheck.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Sales\ViewModel\Order\Create;
+
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\View\Element\Block\ArgumentInterface;
+
+/**
+ * Sidebar block permission check
+ */
+class SidebarPermissionCheck implements ArgumentInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * Permissions constructor.
+     *
+     * @param AuthorizationInterface $authorization
+     */
+    public function __construct(AuthorizationInterface $authorization)
+    {
+        $this->authorization = $authorization;
+    }
+
+    /**
+     * To check customer permission
+     *
+     * @return bool
+     */
+    public function isAllowed(): bool
+    {
+        return $this->authorization->isAllowed('Magento_Customer::customer');
+    }
+}
diff --git a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_index.xml b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_index.xml
@@ -36,6 +36,9 @@
                     </block>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Data" template="Magento_Sales::order/create/data.phtml" name="data">
                         <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar" template="Magento_Sales::order/create/sidebar.phtml" name="sidebar">
+                            <arguments>
+                                <argument name="sideBarPermissionCheck" xsi:type="object">Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck</argument>
+                            </arguments>
                             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Cart" template="Magento_Sales::order/create/sidebar/items.phtml" name="cart"/>
                             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Wishlist" template="Magento_Sales::order/create/sidebar/items.phtml" name="wishlist"/>
                             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Reorder" template="Magento_Sales::order/create/sidebar/items.phtml" name="reorder"/>
diff --git a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_load_block_data.xml b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_load_block_data.xml
@@ -11,6 +11,9 @@
         <referenceContainer name="content">
             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Data" template="Magento_Sales::order/create/data.phtml" name="data">
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar" template="Magento_Sales::order/create/sidebar.phtml" name="sidebar">
+                    <arguments>
+                        <argument name="sideBarPermissionCheck" xsi:type="object">Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck</argument>
+                    </arguments>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Cart" template="Magento_Sales::order/create/sidebar/items.phtml" name="cart"/>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Wishlist" template="Magento_Sales::order/create/sidebar/items.phtml" name="wishlist"/>
                     <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Reorder" template="Magento_Sales::order/create/sidebar/items.phtml" name="reorder"/>
diff --git a/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_load_block_sidebar.xml b/app/code/Magento/Sales/view/adminhtml/layout/sales_order_create_load_block_sidebar.xml
@@ -9,6 +9,9 @@
     <body>
         <referenceContainer name="content">
             <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar" template="Magento_Sales::order/create/sidebar.phtml" name="sidebar">
+                <arguments>
+                    <argument name="sideBarPermissionCheck" xsi:type="object">Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck</argument>
+                </arguments>
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Cart" template="Magento_Sales::order/create/sidebar/items.phtml" name="cart"/>
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Wishlist" template="Magento_Sales::order/create/sidebar/items.phtml" name="wishlist"/>
                 <block class="Magento\Sales\Block\Adminhtml\Order\Create\Sidebar\Reorder" template="Magento_Sales::order/create/sidebar/items.phtml" name="reorder"/>
diff --git a/app/code/Magento/Sales/view/adminhtml/templates/order/create/sidebar.phtml b/app/code/Magento/Sales/view/adminhtml/templates/order/create/sidebar.phtml
@@ -4,19 +4,32 @@
  * See COPYING.txt for license details.
  */
 
+use Magento\Framework\Escaper;
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+use Magento\Sales\Block\Adminhtml\Order\Create\Sidebar;
+use Magento\Sales\ViewModel\Order\Create\SidebarPermissionCheck;
+
 /**
- * @var \Magento\Sales\Block\Adminhtml\Order\Create\Sidebar $block
- * @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
+ * @var Sidebar $block
+ * @var SecureHtmlRenderer $secureRenderer
+ * @var Escaper $escaper
  */
+
+/**
+ * @var SidebarPermissionCheck $sideBarPermissionCheck
+ */
+$sideBarPermissionCheck = $block->getData('sideBarPermissionCheck');
+
 ?>
+<?php  if ($sideBarPermissionCheck->isAllowed()): ?>
 <div class="customer-current-activity-inner">
-    <h4 class="customer-activity-title"><?= $block->escapeHtml(__('Customer\'s Activities')) ?></h4>
+    <h4 class="customer-activity-title"><?= $escaper->escapeHtml(__('Customer\'s Activities')) ?></h4>
     <div class="create-order-sidebar-container">
     <?= $block->getChildHtml('top_button') ?>
     <?php foreach ($block->getLayout()->getChildBlocks($block->getNameInLayout()) as $_alias => $_child): ?>
         <?php if ($_alias != 'top_button' && $_alias != 'bottom_button'): ?>
             <?php if ($block->canDisplay($_child)): ?>
-                <div class="order-sidebar-block" id="order-sidebar_<?= $block->escapeHtmlAttr($_alias) ?>">
+                <div class="order-sidebar-block" id="order-sidebar_<?= $escaper->escapeHtmlAttr($_alias) ?>">
                     <?= $block->getChildHtml($_alias) ?>
                 </div>
             <?php endif; ?>
@@ -25,6 +38,7 @@
     <?= $block->getChildHtml('bottom_button') ?>
     </div>
 </div>
+<?php endif; ?>
 <?php $scriptString = <<<script
 require([
     "prototype",
diff --git a/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/NewAction.php b/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/NewAction.php
@@ -17,7 +17,7 @@ class NewAction extends \Magento\Backend\App\Action implements HttpGetActionInte
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::shipment';
+    public const ADMIN_RESOURCE = 'Magento_Sales::ship';
 
     /**
      * @var \Magento\Shipping\Controller\Adminhtml\Order\ShipmentLoader
diff --git a/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Save.php b/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Save.php
@@ -22,7 +22,7 @@ class Save extends \Magento\Backend\App\Action implements HttpPostActionInterfac
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::shipment';
+    public const ADMIN_RESOURCE = 'Magento_Sales::ship';
 
     /**
      * @var \Magento\Shipping\Controller\Adminhtml\Order\ShipmentLoader
diff --git a/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Start.php b/app/code/Magento/Shipping/Controller/Adminhtml/Order/Shipment/Start.php
@@ -15,7 +15,7 @@ class Start extends \Magento\Backend\App\Action implements HttpGetActionInterfac
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::shipment';
+    public const ADMIN_RESOURCE = 'Magento_Sales::ship';
 
     /**
      * Start create shipment action
diff --git a/app/code/Magento/Shipping/etc/acl.xml b/app/code/Magento/Shipping/etc/acl.xml
@@ -13,7 +13,7 @@
                     <resource id="Magento_Backend::stores_settings">
                         <resource id="Magento_Config::config">
                             <resource id="Magento_Shipping::config_shipping" title="Shipping Settings Section" translate="title" sortOrder="5" />
-                            <resource id="Magento_Shipping::shipping_policy" title="Shipping Policy Parameters Section" translate="title" sortOrder="5" />
+                            <resource id="Magento_Shipping::shipping_policy" title="Shipping Policy Parameters Section" translate="title" sortOrder="5" disabled="true" />
                             <resource id="Magento_Shipping::carriers" title="Delivery Methods Section" translate="title" sortOrder="5" />
                         </resource>
                     </resource>
diff --git a/dev/tests/integration/testsuite/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/SaveTest.php b/dev/tests/integration/testsuite/Magento/Sales/Controller/Adminhtml/Order/Creditmemo/SaveTest.php
@@ -21,6 +21,11 @@
  */
 class SaveTest extends AbstractCreditmemoControllerTest
 {
+    /**
+     * @var string
+     */
+    protected $resource = 'Magento_Sales::creditmemo';
+
     /**
      * @var string
      */
diff --git a/dev/tests/integration/testsuite/Magento/Shipping/Controller/Adminhtml/Order/Shipment/SaveTest.php b/dev/tests/integration/testsuite/Magento/Shipping/Controller/Adminhtml/Order/Shipment/SaveTest.php
diff --git a/pub/media/.htaccess b/pub/media/.htaccess

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ class NewAction extends \Magento\Backend\App\Action implements HttpGetActionInte`
`15`	`15`	`*`
`16`	`16`	`* @see _isAllowed()`
`17`	`17`	`*/`
`18`		`- const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';`
	`18`	`+ public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';`
`19`	`19`
`20`	`20`	`/**`
`21`	`21`	`* @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ class Save extends \Magento\Backend\App\Action implements HttpPostActionInterfac`
`18`	`18`	`*`
`19`	`19`	`* @see _isAllowed()`
`20`	`20`	`*/`
`21`		`- public const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';`
	`21`	`+ public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';`
`22`	`22`
`23`	`23`	`/**`
`24`	`24`	`* @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ class Start extends \Magento\Backend\App\Action implements HttpGetActionInterfac`
`14`	`14`	`*`
`15`	`15`	`* @see _isAllowed()`
`16`	`16`	`*/`
`17`		`- const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';`
	`17`	`+ public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';`
`18`	`18`
`19`	`19`	`/**`
`20`	`20`	`* Start create creditmemo action`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ class UpdateQty extends \Magento\Backend\App\Action implements HttpPostActionInt`
`15`	`15`	`*`
`16`	`16`	`* @see _isAllowed()`
`17`	`17`	`*/`
`18`		`- const ADMIN_RESOURCE = 'Magento_Sales::sales_creditmemo';`
	`18`	`+ public const ADMIN_RESOURCE = 'Magento_Sales::creditmemo';`
`19`	`19`
`20`	`20`	`/**`
`21`	`21`	`* @var \Magento\Sales\Controller\Adminhtml\Order\CreditmemoLoader`