#29715: Enforced ACL for context menu and view details

sivaschenko · sivaschenko · commit 68bc010fc93a · 2020-09-03T17:54:34.000+01:00
diff --git a/app/code/Magento/MediaGalleryUi/Block/Adminhtml/ImageDetails.php b/app/code/Magento/MediaGalleryUi/Block/Adminhtml/ImageDetails.php
@@ -0,0 +1,98 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\MediaGalleryUi\Block\Adminhtml;
+
+use Magento\Backend\Block\Template;
+use Magento\Directory\Helper\Data as DirectoryHelper;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\Json\Helper\Data as JsonHelper;
+use Magento\Framework\Serialize\Serializer\Json;
+
+/**
+ * Image details block
+ *
+ * @api
+ */
+class ImageDetails extends Template
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * @var Json
+     */
+    private $json;
+
+    /**
+     * @param AuthorizationInterface $authorization
+     * @param Template\Context $context
+     * @param array $data
+     * @param JsonHelper|null $jsonHelper
+     * @param DirectoryHelper|null $directoryHelper
+     */
+    public function __construct(
+        AuthorizationInterface $authorization,
+        Json $json,
+        Template\Context $context,
+        array $data = [],
+        ?JsonHelper $jsonHelper = null,
+        ?DirectoryHelper $directoryHelper = null
+    ) {
+        $this->authorization = $authorization;
+        $this->json = $json;
+        parent::__construct($context, $data, $jsonHelper, $directoryHelper);
+    }
+
+    /**
+     * Retrieve actions json
+     *
+     * @return string
+     */
+    public function getActionsJson(): string
+    {
+        $actions = [
+            [
+                'title' => __('Cancel'),
+                'handler' => 'closeModal',
+                'name' => 'cancel',
+                'classes' => 'action-default scalable cancel action-quaternary'
+            ]
+        ];
+
+        if ($this->authorization->isAllowed('MediaGalleryUiApi::edit_assets')) {
+            $actions[] = [
+                'title' => __('Edit Details'),
+                'handler' => 'editImageAction',
+                'name' => 'edit',
+                'classes' => 'action-default scalable edit action-quaternary'
+            ];
+        }
+
+        if ($this->authorization->isAllowed('MediaGalleryUiApi::delete_assets')) {
+            $actions[] = [
+                'title' => __('Delete Image'),
+                'handler' => 'deleteImageAction',
+                'name' => 'delete',
+                'classes' => 'action-default scalable delete action-quaternary'
+            ];
+        }
+
+        if ($this->authorization->isAllowed('MediaGalleryUiApi::insert_assets')) {
+            $actions[] = [
+                'title' => __('Add Image'),
+                'handler' => 'addImage',
+                'name' => 'add-image',
+                'classes' => 'scalable action-primary add-image-action'
+            ];
+        }
+
+        return $this->json->serialize($actions);
+    }
+}
diff --git a/app/code/Magento/MediaGalleryUi/Ui/Component/Listing/Columns/Url.php b/app/code/Magento/MediaGalleryUi/Ui/Component/Listing/Columns/Url.php
@@ -23,8 +23,10 @@
 class Url extends Column
 {
     private const ACL_IMAGE_ACTIONS = [
-        'insert_assets' => 'Magento_MediaGalleryUiApi::insert_assets',
-        'delete_assets' => 'Magento_MediaGalleryUiApi::delete_assets'
+        'image-details' => 'Magento_Cms::media_gallery',
+        'insert' => 'Magento_MediaGalleryUiApi::insert_assets',
+        'delete' => 'Magento_MediaGalleryUiApi::delete_assets',
+        'edit' => 'Magento_MediaGalleryUiApi::edit_assets'
     ];
 
     /**
diff --git a/app/code/Magento/MediaGalleryUi/view/adminhtml/layout/media_gallery_index_index.xml b/app/code/Magento/MediaGalleryUi/view/adminhtml/layout/media_gallery_index_index.xml
@@ -16,7 +16,7 @@
                 <block name="page.actions.toolbar" template="Magento_Backend::pageactions.phtml"/>
             </container>
             <uiComponent name="media_gallery_listing"/>
-            <block name="image.details" class="Magento\Backend\Block\Template" template="Magento_MediaGalleryUi::image_details.phtml">
+            <block name="image.details" class="Magento\MediaGalleryUi\Block\Adminhtml\ImageDetails" template="Magento_MediaGalleryUi::image_details.phtml">
                 <arguments>
                     <argument name="imageDetailsUrl" xsi:type="url" path="media_gallery/image/details"/>
                 </arguments>
diff --git a/app/code/Magento/MediaGalleryUi/view/adminhtml/layout/media_gallery_media_index.xml b/app/code/Magento/MediaGalleryUi/view/adminhtml/layout/media_gallery_media_index.xml
@@ -10,7 +10,7 @@
     <body>
         <referenceContainer htmlTag="div" htmlClass="media-gallery-container" name="content">
             <uiComponent name="standalone_media_gallery_listing"/>
-	        <block name="image.details" class="Magento\Backend\Block\Template" template="Magento_MediaGalleryUi::image_details_standalone.phtml">
+	        <block name="image.details" class="Magento\MediaGalleryUi\Block\Adminhtml\ImageDetails" template="Magento_MediaGalleryUi::image_details_standalone.phtml">
                 <arguments>
                     <argument name="imageDetailsUrl" xsi:type="url" path="media_gallery/image/details"/>
                 </arguments>
diff --git a/app/code/Magento/MediaGalleryUi/view/adminhtml/templates/image_details.phtml b/app/code/Magento/MediaGalleryUi/view/adminhtml/templates/image_details.phtml
@@ -4,11 +4,11 @@
  * See COPYING.txt for license details.
  */
 
-use Magento\Backend\Block\Template;
+use Magento\MediaGalleryUi\Block\Adminhtml\ImageDetails;
 use Magento\Framework\Escaper;
 
 // phpcs:disable Magento2.Files.LineLength, Generic.Files.LineLength
-/** @var Template $block */
+/** @var ImageDetails $block */
 /** @var Escaper $escaper */
 
 ?>
@@ -73,32 +73,7 @@ use Magento\Framework\Escaper;
                         "modalWindowSelector": ".media-gallery-image-details",
                         "imageModelName" : "media_gallery_listing.media_gallery_listing.media_gallery_columns.thumbnail_url",
                         "mediaGalleryImageDetailsName": "mediaGalleryImageDetails",
-                        "actionsList": [
-                            {
-                                "title": "<?= $escaper->escapeJs(__('Edit Details')); ?>",
-                                "handler": "editImageAction",
-                                "name": "edit",
-                                "classes": "action-default scalable edit action-quaternary"
-                            },
-                            {
-                                "title": "<?= $escaper->escapeJs(__('Cancel')); ?>",
-                                "handler": "closeModal",
-                                "name": "cancel",
-                                "classes": "action-default scalable cancel action-quaternary"
-                            },
-                            {
-                                "title": "<?= $escaper->escapeJs(__('Delete Image')); ?>",
-                                "handler": "deleteImageAction",
-                                "name": "delete",
-                                "classes": "action-default scalable delete action-quaternary"
-                            },
-                            {
-                                "title": "<?= $escaper->escapeJs(__('Add Image')); ?>",
-                                "handler": "addImage",
-                                "name": "add-image",
-                                "classes": "scalable action-primary add-image-action"
-                            }
-                        ]
+                        "actionsList": <?= $block->getActionsJson() ?>
                     }
                 }
             }
diff --git a/app/code/Magento/MediaGalleryUi/view/adminhtml/templates/image_details_standalone.phtml b/app/code/Magento/MediaGalleryUi/view/adminhtml/templates/image_details_standalone.phtml
@@ -4,10 +4,8 @@
  * See COPYING.txt for license details.
  */
 
-use Magento\Backend\Block\Template;
-
 // phpcs:disable Magento2.Files.LineLength, Generic.Files.LineLength
-/** @var Template $block */
+/** @var \Magento\MediaGalleryUi\Block\Adminhtml\ImageDetails $block */
 /** @var \Magento\Framework\Escaper $escaper */
 ?>
 
@@ -71,26 +69,7 @@ use Magento\Backend\Block\Template;
                         "modalWindowSelector": ".media-gallery-image-details",
                         "mediaGalleryImageDetailsName": "mediaGalleryImageDetails",
                         "imageModelName" : "standalone_media_gallery_listing.standalone_media_gallery_listing.media_gallery_columns.thumbnail_url",
-                        "actionsList": [
-                            {
-                                "title": "<?= $escaper->escapeJs(__('Edit Details')); ?>",
-                                "handler": "editImageAction",
-                                "name": "edit",
-                                "classes": "action-default scalable edit action-quaternary"
-                            },
-                            {
-                                "title": "<?= $escaper->escapeJs(__('Cancel')); ?>",
-                                "handler": "closeModal",
-                                "name": "cancel",
-                                "classes": "action-default scalable cancel action-quaternary"
-                            },
-                            {
-                                "title": "<?= $escaper->escapeJs(__('Delete Image')); ?>",
-                                "handler": "deleteImageAction",
-                                "name": "delete",
-                                "classes": "action-default scalable delete action-quaternary"
-                            }
-                        ]
+                        "actionsList": <?= $block->getActionsJson() ?>
                     }
                 }
             }
diff --git a/app/code/Magento/MediaGalleryUi/view/adminhtml/web/js/grid/columns/image.js b/app/code/Magento/MediaGalleryUi/view/adminhtml/web/js/grid/columns/image.js
@@ -228,11 +228,11 @@ define([
                 return;
             }
 
-            if (this.allowedActions.includes('insert_assets')) {
+            if (this.allowedActions.includes('insert')) {
                 $(this.addSelectedBtnSelector).removeClass('no-display');
             }
 
-            if (this.allowedActions.includes('delete_assets')) {
+            if (this.allowedActions.includes('delete')) {
                 $(this.deleteSelectedBtnSelector).removeClass('no-display');
             }
         },
diff --git a/app/code/Magento/MediaGalleryUi/view/adminhtml/web/js/grid/columns/image/actions.js b/app/code/Magento/MediaGalleryUi/view/adminhtml/web/js/grid/columns/image/actions.js
@@ -55,7 +55,11 @@ define([
             this._super();
             this.initEvents();
 
-            if (!this.allowedActions.includes('delete_assets')) {
+            this.actionsList = this.actionsList.filter(function(item) {
+                return this.allowedActions.includes(item.name);
+            }.bind(this));
+
+            if (!this.allowedActions.includes('delete')) {
                 $.async('.media-gallery-delete-assets', function () {
                     $('.media-gallery-delete-assets').unbind('click').addClass('action-disabled');
                 });

Original file line number	Diff line number	Diff line change
`@@ -228,11 +228,11 @@ define([`
`228`	`228`	`return;`
`229`	`229`	`}`
`230`	`230`
`231`		`- if (this.allowedActions.includes('insert_assets')) {`
	`231`	`+ if (this.allowedActions.includes('insert')) {`
`232`	`232`	`$(this.addSelectedBtnSelector).removeClass('no-display');`
`233`	`233`	`}`
`234`	`234`
`235`		`- if (this.allowedActions.includes('delete_assets')) {`
	`235`	`+ if (this.allowedActions.includes('delete')) {`
`236`	`236`	`$(this.deleteSelectedBtnSelector).removeClass('no-display');`
`237`	`237`	`}`
`238`	`238`	`},`