Merge pull request magento#3083 from magento-tsg/MC-34751

[TSG] MC-34751: [Backport for 2.3.x] Improper Authorization in Inventory module in Store allows Edit Stocks, Delete Stocks, Source to Stock Assigning without permissions

Author: Stanislav Idolov

Inventory/Test/Integration/Stock/StockSourceLinkProcessorTest.php

@@ -7,6 +7,7 @@
 
 namespace Magento\Inventory\Test\Integration\Stock;
 
+use Magento\Backend\Model\Auth;
 use Magento\Framework\Api\SearchCriteriaBuilder;
 use Magento\Framework\Api\SortOrderBuilder;
 use Magento\InventoryAdminUi\Model\Stock\StockSourceLinkProcessor;
@@ -15,6 +16,11 @@
 use Magento\TestFramework\Helper\Bootstrap;
 use PHPUnit\Framework\TestCase;
 
+/**
+ * Tests for \Magento\InventoryAdminUi\Model\Stock\StockSourceLinkProcessor.
+ *
+ * @magentoAppArea adminhtml
+ */
 class StockSourceLinkProcessorTest extends TestCase
 {
     /**
@@ -37,23 +43,86 @@ class StockSourceLinkProcessorTest extends TestCase
      */
     private $getStockSourceLinks;
 
+    /**
+     * @var Auth
+     */
+    private $auth;
+
     /**
      * @inheritdoc
      */
     protected function setUp()
     {
-        $this->searchCriteriaBuilder = Bootstrap::getObjectManager()->get(SearchCriteriaBuilder::class);
-        $this->getStockSourceLinks = Bootstrap::getObjectManager()->get(GetStockSourceLinksInterface::class);
-        $this->stockSourceLinkProcessor = Bootstrap::getObjectManager()->get(StockSourceLinkProcessor::class);
-        $this->sortOrderBuilder = Bootstrap::getObjectManager()->get(SortOrderBuilder::class);
+        $objectManager = Bootstrap::getObjectManager();
+        $this->searchCriteriaBuilder = $objectManager->get(SearchCriteriaBuilder::class);
+        $this->getStockSourceLinks = $objectManager->get(GetStockSourceLinksInterface::class);
+        $this->stockSourceLinkProcessor = $objectManager->get(StockSourceLinkProcessor::class);
+        $this->sortOrderBuilder = $objectManager->get(SortOrderBuilder::class);
+        $this->auth = $objectManager->get(Auth::class);
+    }
+
+    protected function tearDown()
+    {
+        $this->auth->logout();
+        parent::tearDown();
     }
 
     /**
-     * @magentoDataFixture ../../../../app/code/Magento/InventoryApi/Test/_files/sources.php
-     * @magentoDataFixture ../../../../app/code/Magento/InventoryApi/Test/_files/stocks.php
-     * @magentoDataFixture ../../../../app/code/Magento/InventoryApi/Test/_files/stock_source_links.php
+     * @magentoDataFixture Magento_InventoryApi::Test/_files/sources.php
+     * @magentoDataFixture Magento_InventoryApi::Test/_files/stocks.php
+     * @magentoDataFixture Magento_InventoryApi::Test/_files/stock_source_links.php
      */
     public function testProcess()
+    {
+        $this->auth->login(
+            \Magento\TestFramework\Bootstrap::ADMIN_NAME,
+            \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD
+        );
+
+        $linksData = $this->getLinksData();
+        $stockId = 10;
+
+        $this->stockSourceLinkProcessor->process($stockId, $linksData);
+
+        $sortOrder = $this->sortOrderBuilder
+            ->setField(StockSourceLinkInterface::PRIORITY)
+            ->setAscendingDirection()
+            ->create();
+        $searchCriteria = $this->searchCriteriaBuilder
+            ->addFilter(StockSourceLinkInterface::STOCK_ID, $stockId)
+            ->addSortOrder($sortOrder)
+            ->create();
+        $searchResult = $this->getStockSourceLinks->execute($searchCriteria);
+
+        self::assertCount(2, $searchResult->getItems());
+    }
+
+    /**
+     * @magentoDataFixture Magento_InventoryAdminUi::Test/Integration/_files/user_assigned_to_stocks.php
+     * @magentoDataFixture Magento_InventoryApi::Test/_files/sources.php
+     * @magentoDataFixture Magento_InventoryApi::Test/_files/stocks.php
+     * @magentoDataFixture Magento_InventoryApi::Test/_files/stock_source_links.php
+     */
+    public function testProcessUserWithoutPermissions()
+    {
+        $this->auth->login(
+            'stocksAccessUser',
+            \Magento\TestFramework\Bootstrap::ADMIN_PASSWORD
+        );
+
+        $linksData = $this->getLinksData();
+        $stockId = 10;
+
+        $this->expectException(\Magento\Framework\Exception\AuthorizationException::class);
+        $this->expectExceptionMessage('It is not allowed to change sources');
+
+        $this->stockSourceLinkProcessor->process($stockId, $linksData);
+    }
+
+    /**
+     * @return array
+     */
+    private function getLinksData(): array
     {
         /**
          * eu-3 - should be updated
@@ -70,20 +139,7 @@ public function testProcess()
                 StockSourceLinkInterface::PRIORITY => 2,
             ],
         ];
-        $stockId = 10;
 
-        $this->stockSourceLinkProcessor->process($stockId, $linksData);
-
-        $sortOrder = $this->sortOrderBuilder
-            ->setField(StockSourceLinkInterface::PRIORITY)
-            ->setAscendingDirection()
-            ->create();
-        $searchCriteria = $this->searchCriteriaBuilder
-            ->addFilter(StockSourceLinkInterface::STOCK_ID, $stockId)
-            ->addSortOrder($sortOrder)
-            ->create();
-        $searchResult = $this->getStockSourceLinks->execute($searchCriteria);
-
-        self::assertCount(2, $searchResult->getItems());
+        return $linksData;
     }
 }

InventoryAdminUi/Controller/Adminhtml/Stock/Delete.php

@@ -23,7 +23,7 @@ class Delete extends Action implements HttpPostActionInterface
     /**
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock';
+    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock_delete';
 
     /**
      * @var StockRepositoryInterface

InventoryAdminUi/Controller/Adminhtml/Stock/Edit.php

@@ -26,7 +26,7 @@ class Edit extends Action implements HttpGetActionInterface
     /**
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock';
+    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock_edit';
 
     /**
      * @var StockRepositoryInterface

InventoryAdminUi/Controller/Adminhtml/Stock/InlineEdit.php

@@ -28,7 +28,7 @@ class InlineEdit extends Action implements HttpPostActionInterface
     /**
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock';
+    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock_edit';
 
     /**
      * @var DataObjectHelper

InventoryAdminUi/Controller/Adminhtml/Stock/MassDelete.php

@@ -23,7 +23,7 @@ class MassDelete extends Action implements HttpPostActionInterface
     /**
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock';
+    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock_delete';
 
     /**
      * @var StockRepositoryInterface

InventoryAdminUi/Controller/Adminhtml/Stock/NewAction.php

@@ -22,7 +22,7 @@ class NewAction extends Action implements HttpGetActionInterface
     /**
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock';
+    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock_edit';
 
     /**
      * @inheritdoc

InventoryAdminUi/Controller/Adminhtml/Stock/Save.php

@@ -29,7 +29,7 @@ class Save extends Action implements HttpPostActionInterface
     /**
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock';
+    const ADMIN_RESOURCE = 'Magento_InventoryApi::stock_edit';
 
     /**
      * @var StockSaveProcessor
@@ -65,6 +65,8 @@ public function execute(): ResultInterface
     }
 
     /**
+     * Save stock process.
+     *
      * @param array $requestData
      * @param RequestInterface $request
      * @param Redirect $resultRedirect
@@ -106,6 +108,8 @@ private function processSave(
     }
 
     /**
+     * Process result redirect after success save according params.
+     *
      * @param Redirect $resultRedirect
      * @param int $stockId
      *
@@ -128,6 +132,8 @@ private function processRedirectAfterSuccessSave(Redirect $resultRedirect, int $
     }
 
     /**
+     * Process result redirect after failed save according params.
+     *
      * @param Redirect $resultRedirect
      * @param int|null $stockId
      *

InventoryAdminUi/Model/Stock/StockSourceLinkProcessor.php

@@ -8,6 +8,8 @@
 namespace Magento\InventoryAdminUi\Model\Stock;
 
 use Magento\Framework\Api\DataObjectHelper;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\Exception\AuthorizationException;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Api\SearchCriteriaBuilder;
 use Magento\InventoryApi\Api\Data\StockSourceLinkInterfaceFactory;
@@ -17,7 +19,8 @@
 use Magento\InventoryApi\Api\StockSourceLinksSaveInterface;
 
 /**
- * At the time of processing Stock save form this class used to save links correctly
+ * At the time of processing Stock save form this class used to save links correctly.
+ *
  * Performs replace strategy of sources for the stock
  */
 class StockSourceLinkProcessor
@@ -52,35 +55,46 @@ class StockSourceLinkProcessor
      */
     private $dataObjectHelper;
 
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
     /**
      * @param SearchCriteriaBuilder $searchCriteriaBuilder
      * @param StockSourceLinkInterfaceFactory $stockSourceLinkFactory
      * @param StockSourceLinksSaveInterface $stockSourceLinksSave
      * @param StockSourceLinksDeleteInterface $stockSourceLinksDelete
      * @param GetStockSourceLinksInterface $getStockSourceLinks
      * @param DataObjectHelper $dataObjectHelper
+     * @param AuthorizationInterface $authorization
      */
     public function __construct(
         SearchCriteriaBuilder $searchCriteriaBuilder,
         StockSourceLinkInterfaceFactory $stockSourceLinkFactory,
         StockSourceLinksSaveInterface $stockSourceLinksSave,
         StockSourceLinksDeleteInterface $stockSourceLinksDelete,
         GetStockSourceLinksInterface $getStockSourceLinks,
-        DataObjectHelper $dataObjectHelper
+        DataObjectHelper $dataObjectHelper,
+        AuthorizationInterface $authorization
     ) {
         $this->searchCriteriaBuilder = $searchCriteriaBuilder;
         $this->stockSourceLinkFactory = $stockSourceLinkFactory;
         $this->stockSourceLinksSave = $stockSourceLinksSave;
         $this->stockSourceLinksDelete = $stockSourceLinksDelete;
         $this->getStockSourceLinks = $getStockSourceLinks;
         $this->dataObjectHelper = $dataObjectHelper;
+        $this->authorization = $authorization;
     }
 
     /**
+     * Performs replace strategy of sources for the stock.
+     *
      * @param int $stockId
      * @param array $linksData
      * @return void
      * @throws InputException
+     * @throws AuthorizationException
      */
     public function process(int $stockId, array $linksData)
     {
@@ -100,6 +114,12 @@ public function process(int $stockId, array $linksData)
             $linkData[StockSourceLinkInterface::STOCK_ID] = $stockId;
             $this->dataObjectHelper->populateWithArray($link, $linkData, StockSourceLinkInterface::class);
 
+            if (!$this->authorization->isAllowed('Magento_InventoryApi::stock_source_link')
+                && $link->getData() != $link->getOrigData()
+            ) {
+                throw new AuthorizationException(__('It is not allowed to change sources'));
+            }
+
             $linksForSave[] = $link;
             unset($linksForDelete[$sourceCode]);
         }
@@ -108,6 +128,9 @@ public function process(int $stockId, array $linksData)
             $this->stockSourceLinksSave->execute($linksForSave);
         }
         if (count($linksForDelete) > 0) {
+            if (!$this->authorization->isAllowed('Magento_InventoryApi::stock_source_link')) {
+                throw new AuthorizationException(__('It is not allowed to change sources'));
+            }
             $this->stockSourceLinksDelete->execute($linksForDelete);
         }
     }