Merge pull request #10149 from adobe-commerce-tier-4/PR_2025_10_21_muntianu

[Support Tier-4 muntianu] 10-21-2025 Regular delivery of bugfixes and improvements

Author: dhorytskyi

app/code/Magento/Authorization/Model/Acl/AclRetriever.php

@@ -10,6 +10,7 @@
 use Magento\Authorization\Model\ResourceModel\Rules\CollectionFactory as RulesCollectionFactory;
 use Magento\Authorization\Model\Role;
 use Magento\Authorization\Model\UserContextInterface;
+use Magento\Framework\Acl\Role\CurrentRoleContext;
 use Magento\Framework\Acl\Builder as AclBuilder;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Framework\Exception\LocalizedException;
@@ -44,24 +45,33 @@ class AclRetriever
      */
     protected $roleCollectionFactory;
 
+    /**
+     * @var CurrentRoleContext
+     */
+    private $currentRoleContext;
+
     /**
      * Initialize dependencies.
      *
      * @param AclBuilder $aclBuilder
      * @param RoleCollectionFactory $roleCollectionFactory
      * @param RulesCollectionFactory $rulesCollectionFactory
      * @param Logger $logger
+     * @param ?CurrentRoleContext $currentRoleContext
      */
     public function __construct(
         AclBuilder $aclBuilder,
         RoleCollectionFactory $roleCollectionFactory,
         RulesCollectionFactory $rulesCollectionFactory,
-        Logger $logger
+        Logger $logger,
+        ?CurrentRoleContext $currentRoleContext = null
     ) {
         $this->logger = $logger;
         $this->rulesCollectionFactory = $rulesCollectionFactory;
         $this->aclBuilder = $aclBuilder;
         $this->roleCollectionFactory = $roleCollectionFactory;
+        $this->currentRoleContext = $currentRoleContext ?: \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(CurrentRoleContext::class);
     }
 
     /**
@@ -110,17 +120,26 @@ public function getAllowedResourcesByUser($userType, $userId)
      */
     public function getAllowedResourcesByRole($roleId)
     {
-        $allowedResources = [];
-        $rulesCollection = $this->rulesCollectionFactory->create();
-        $rulesCollection->getByRoles($roleId)->load();
-        $acl = $this->aclBuilder->getAcl();
-        /** @var \Magento\Authorization\Model\Rules $ruleItem */
-        foreach ($rulesCollection->getItems() as $ruleItem) {
-            $resourceId = $ruleItem->getResourceId();
-            if ($acl->hasResource($resourceId) && $acl->isAllowed($roleId, $resourceId)) {
-                $allowedResources[] = $resourceId;
+        try {
+            $allowedResources = [];
+            $rulesCollection = $this->rulesCollectionFactory->create();
+            $rulesCollection->getByRoles($roleId)->load();
+            if ($roleId && (int) $roleId !== $this->currentRoleContext->getRoleId()) {
+                $this->aclBuilder->resetRuntimeAcl();
+            }
+            $this->currentRoleContext->setRoleId((int) $roleId);
+            $acl = $this->aclBuilder->getAcl();
+            /** @var \Magento\Authorization\Model\Rules $ruleItem */
+            foreach ($rulesCollection->getItems() as $ruleItem) {
+                $resourceId = $ruleItem->getResourceId();
+                if ($acl->hasResource($resourceId) && $acl->isAllowed($roleId, $resourceId)) {
+                    $allowedResources[] = $resourceId;
+                }
             }
+        } finally {
+            $this->currentRoleContext->_resetState();
         }
+
         return $allowedResources;
     }
 

app/code/Magento/Authorization/Model/Acl/Loader/Rule.php

@@ -11,6 +11,7 @@
 use Magento\Framework\Acl\Data\CacheInterface;
 use Magento\Framework\Acl\LoaderInterface;
 use Magento\Framework\Acl\RootResource;
+use Magento\Framework\Acl\Role\CurrentRoleContext;
 use Magento\Framework\App\ResourceConnection;
 use Magento\Framework\Serialize\Serializer\Json;
 
@@ -54,28 +55,38 @@ class Rule implements LoaderInterface
      */
     private $cacheKey;
 
+    /**
+     * @var CurrentRoleContext
+     */
+    private $roleContext;
+
     /**
      * @param RootResource $rootResource
      * @param ResourceConnection $resource
      * @param CacheInterface $aclDataCache
      * @param Json $serializer
      * @param array $data
      * @param string $cacheKey
+     * @param CurrentRoleContext|null $roleContext
      * @SuppressWarnings(PHPMD.UnusedFormalParameter):
      */
     public function __construct(
-        RootResource $rootResource,
-        ResourceConnection $resource,
-        CacheInterface $aclDataCache,
-        Json $serializer,
-        array $data = [],
-        $cacheKey = self::ACL_RULE_CACHE_KEY
+        RootResource        $rootResource,
+        ResourceConnection  $resource,
+        CacheInterface      $aclDataCache,
+        Json                $serializer,
+        ?array              $data = [],
+        ?string             $cacheKey = self::ACL_RULE_CACHE_KEY,
+        ?CurrentRoleContext $roleContext = null
     ) {
         $this->_rootResource = $rootResource;
         $this->_resource = $resource;
         $this->aclDataCache = $aclDataCache;
         $this->serializer = $serializer;
-        $this->cacheKey = $cacheKey;
+        $this->cacheKey = $cacheKey ?? self::ACL_RULE_CACHE_KEY;
+
+        $this->roleContext = $roleContext ?? \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(CurrentRoleContext::class);
     }
 
     /**
@@ -86,10 +97,31 @@ public function __construct(
      */
     public function populateAcl(Acl $acl)
     {
-        $result = $this->applyPermissionsAccordingToRules($acl);
+        $roleId = $this->roleContext->getRoleId();
+        $result = ($roleId)
+            ? $this->applyPermissionsForRole($acl, (int)$roleId)
+            : $this->applyPermissionsAccordingToRules($acl);
         $this->denyPermissionsForMissingRules($acl, $result);
     }
 
+    /**
+     * Apply permissions for a specific role
+     *
+     * @param Acl $acl
+     * @param int $roleId
+     * @return array
+     */
+    private function applyPermissionsForRole(Acl $acl, int $roleId): array
+    {
+        $appliedRolePermissionsPerResource = [];
+        foreach ($this->getRulesArrayForRole($roleId) as $rule) {
+            $appliedRolePermissionsPerResource =
+                $this->getAppliedRolePermissionsPerResource($rule, $acl, $appliedRolePermissionsPerResource);
+        }
+
+        return $appliedRolePermissionsPerResource;
+    }
+
     /**
      * Apply ACL with rules
      *
@@ -100,28 +132,8 @@ private function applyPermissionsAccordingToRules(Acl $acl): array
     {
         $appliedRolePermissionsPerResource = [];
         foreach ($this->getRulesArray() as $rule) {
-            $role = $rule['role_id'];
-            $resource = $rule['resource_id'];
-            $privileges = !empty($rule['privileges']) ? explode(',', $rule['privileges']) : null;
-
-            if ($acl->hasResource($resource)) {
-
-                $appliedRolePermissionsPerResource[$resource]['allow'] =
-                    $appliedRolePermissionsPerResource[$resource]['allow'] ?? [];
-                $appliedRolePermissionsPerResource[$resource]['deny'] =
-                    $appliedRolePermissionsPerResource[$resource]['deny'] ?? [];
-
-                if ($rule['permission'] == 'allow') {
-                    if ($resource === $this->_rootResource->getId()) {
-                        $acl->allow($role, null, $privileges);
-                    }
-                    $acl->allow($role, $resource, $privileges);
-                    $appliedRolePermissionsPerResource[$resource]['allow'][] = $role;
-                } elseif ($rule['permission'] == 'deny') {
-                    $acl->deny($role, $resource, $privileges);
-                    $appliedRolePermissionsPerResource[$resource]['deny'][] = $role;
-                }
-            }
+            $appliedRolePermissionsPerResource =
+                $this->getAppliedRolePermissionsPerResource($rule, $acl, $appliedRolePermissionsPerResource);
         }
 
         return $appliedRolePermissionsPerResource;
@@ -202,4 +214,95 @@ private function getRulesArray()
 
         return $rulesArr;
     }
+
+    /**
+     * Get application ACL rules array for a specific role.
+     *
+     * @param int $roleId
+     * @return array
+     */
+    private function getRulesArrayForRole(int $roleId): array
+    {
+        $groupRoleId = $this->resolveGroupRoleId($roleId);
+        $cacheKey = hash('sha256', self::ACL_RULE_CACHE_KEY . '_' . $groupRoleId);
+        $rulesCachedData = $this->aclDataCache->load($cacheKey);
+        if ($rulesCachedData) {
+            return $this->serializer->unserialize($rulesCachedData);
+        }
+
+        $ruleTable = $this->_resource->getTableName('authorization_rule');
+        $connection = $this->_resource->getConnection();
+        $select = $connection->select()
+            ->from(['r' => $ruleTable])
+            ->where('role_id = ?', $groupRoleId)
+            ->order('rule_id ASC');
+
+        $rulesArr = $connection->fetchAll($select);
+
+        $this->aclDataCache->save($this->serializer->serialize($rulesArr), $cacheKey);
+
+        return $rulesArr;
+    }
+
+    /**
+     * Resolve the group role id for a given role id
+     *
+     * @param int $roleId
+     * @return int
+     */
+    private function resolveGroupRoleId(int $roleId): int
+    {
+        $roleTable = $this->_resource->getTableName('authorization_role');
+        $connection = $this->_resource->getConnection();
+        $select = $connection->select()
+            ->from($roleTable, ['role_type', 'parent_id'])
+            ->where('role_id = ?', $roleId)
+            ->limit(1);
+
+        $row = $connection->fetchRow($select);
+        if (is_array($row) && isset($row['role_type']) && $row['role_type'] === 'U'
+            && (int)($row['parent_id'] ?? 0) > 0
+        ) {
+            return (int)$row['parent_id'];
+        }
+        return $roleId;
+    }
+
+    /**
+     * Apply rule to ACL and return applied permissions per resource
+     *
+     * @param array $rule
+     * @param Acl $acl
+     * @param array $appliedRolePermissionsPerResource
+     * @return array
+     */
+    private function getAppliedRolePermissionsPerResource(
+        array $rule,
+        Acl $acl,
+        array $appliedRolePermissionsPerResource
+    ): array {
+        $role = $rule['role_id'];
+        $resource = $rule['resource_id'];
+        $privileges = !empty($rule['privileges']) ? explode(',', $rule['privileges']) : null;
+
+        if ($acl->hasResource($resource)) {
+
+            $appliedRolePermissionsPerResource[$resource]['allow'] =
+                $appliedRolePermissionsPerResource[$resource]['allow'] ?? [];
+            $appliedRolePermissionsPerResource[$resource]['deny'] =
+                $appliedRolePermissionsPerResource[$resource]['deny'] ?? [];
+
+            if ($rule['permission'] == 'allow') {
+                if ($resource === $this->_rootResource->getId()) {
+                    $acl->allow($role, null, $privileges);
+                }
+                $acl->allow($role, $resource, $privileges);
+                $appliedRolePermissionsPerResource[$resource]['allow'][] = $role;
+            } elseif ($rule['permission'] == 'deny') {
+                $acl->deny($role, $resource, $privileges);
+                $appliedRolePermissionsPerResource[$resource]['deny'][] = $role;
+            }
+        }
+        return $appliedRolePermissionsPerResource;
+    }
 }

app/code/Magento/Authorization/Test/Unit/Model/Acl/AclRetrieverTest.php

@@ -18,6 +18,7 @@
 use Magento\Authorization\Model\UserContextInterface;
 use Magento\Framework\Acl;
 use Magento\Framework\Acl\Builder;
+use Magento\Framework\Acl\Role\CurrentRoleContext;
 use Magento\Framework\Exception\AuthorizationException;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
@@ -172,14 +173,78 @@ protected function createAclRetriever()
         /**
          * @var Builder|MockObject $aclBuilderMock
          */
-        $aclBuilderMock = $this->createPartialMock(Builder::class, ['getAcl']);
+        $aclBuilderMock = $this->createPartialMock(Builder::class, ['getAcl', 'resetRuntimeAcl']);
         $aclBuilderMock->expects($this->any())->method('getAcl')->willReturn($aclMock);
 
         return new AclRetriever(
             $aclBuilderMock,
             $roleCollectionFactoryMock,
             $rulesCollectionFactoryMock,
-            $this->getMockForAbstractClass(LoggerInterface::class)
+            $this->getMockForAbstractClass(LoggerInterface::class),
+            new CurrentRoleContext()
         );
     }
+
+    public function testResetAclWhenRoleChanges(): void
+    {
+        // Set up rules collection
+        $rulesMock = $this->getMockBuilder(Rules::class)
+            ->addMethods(['getResourceId'])
+            ->onlyMethods(['__wakeup'])
+            ->disableOriginalConstructor()
+            ->getMock();
+        $rulesMock->method('getResourceId')->willReturn('Magento_Backend::dashboard');
+
+        $rulesCollectionMock = $this->createPartialMock(
+            RulesCollection::class,
+            ['getByRoles', 'load', 'getItems']
+        );
+        $rulesCollectionMock->method('getByRoles')->willReturnSelf();
+        $rulesCollectionMock->method('load')->willReturnSelf();
+        $rulesCollectionMock->method('getItems')->willReturn([$rulesMock]);
+
+        $rulesCollectionFactoryMock = $this->createPartialMock(
+            RulesCollectionFactory::class,
+            ['create']
+        );
+        $rulesCollectionFactoryMock->method('create')->willReturn($rulesCollectionMock);
+
+        // ACL and builder mocks
+        $aclMock = $this->createPartialMock(Acl::class, ['hasResource', 'isAllowed']);
+        $aclMock->method('hasResource')->willReturn(true);
+        $aclMock->method('isAllowed')->willReturn(true);
+
+        $aclBuilderMock = $this->createPartialMock(Builder::class, ['getAcl', 'resetRuntimeAcl']);
+        $aclBuilderMock->expects($this->any())->method('getAcl')->willReturn($aclMock);
+        $aclBuilderMock->expects($this->exactly(2))->method('resetRuntimeAcl');
+
+        $roleCollectionFactoryMock = $this->createPartialMock(
+            RoleCollectionFactory::class,
+            ['create']
+        );
+        $roleCollectionMock = $this->createPartialMock(
+            RoleCollection::class,
+            ['setUserFilter', 'getFirstItem']
+        );
+        $roleCollectionMock->method('setUserFilter')->willReturnSelf();
+        $roleMock = $this->createPartialMock(Role::class, ['getId', '__wakeup']);
+        $roleMock->method('getId')->willReturn(2);
+        $roleCollectionMock->method('getFirstItem')->willReturn($roleMock);
+        $roleCollectionFactoryMock->method('create')->willReturn($roleCollectionMock);
+
+        $currentRoleContext = new CurrentRoleContext();
+
+        $retriever = new AclRetriever(
+            $aclBuilderMock,
+            $roleCollectionFactoryMock,
+            $rulesCollectionFactoryMock,
+            $this->getMockForAbstractClass(LoggerInterface::class),
+            $currentRoleContext
+        );
+
+        // First call sets roleId to 2
+        $retriever->getAllowedResourcesByRole(2);
+        // Second call with different role should trigger resetRuntimeAcl()
+        $retriever->getAllowedResourcesByRole(3);
+    }
 }