Skip to content

[Issue] Bulk ACL management for AsynchronousOperations Admin UI #29757

New issue
New issue
Open
#30806
Open
[Issue] Bulk ACL management for AsynchronousOperations Admin UI#29757
#30806
Assignees
engcom-Charlie
Labels
Area: Admin UIComponent: AsynchronousOperationsComponent: BulkIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedIssue: Format is not validGate 1 Failed. Automatic verification of issue format is failedPriority: P2A defect with this priority could have functionality issues which are not to expectations.Progress: PR in progressReported on 2.4.0Indicates original Magento version for the Issue report.Reported on 2.4.xIndicates original Magento version for the Issue report.Reproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branchSeverity: S2Major restrictions or short-term circumventions are required until a fix is available.
@m2-assistant

Description

@m2-assistant
m2-assistant
opened on Aug 26, 2020

This issue is automatically created based on existing pull request: #27580: Bulk ACL management for AsynchronousOperations Admin UI

Description (*)

After Migrating of Asynchronous Operations from Magento Commerce to Magento Open Source, looks like part of functionality was extended.

In details:
In magento_bulk table was added user_type, which defines type of the user who created Bulk Operation.

Possible types are:

  • Admin
  • Integration
  • Guest
  • Customer

In current implementation all Admin UI components have no idea about user type:

https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/AsynchronousOperations/view/adminhtml/ui_component/bulk_listing.xml - in default Grid there are NO DataSource is defined, so Admin see the whole operations, but at the same time, he cannot see Details of those operations:

https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/AsynchronousOperations/Controller/Adminhtml/Bulk/Details.php#L52

But at you can see from implementation,
https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/AsynchronousOperations/Model/AccessValidator.php#L58

that permissions are checked based on UserID and fully ignoring UserType. Which means, that Admin has access to All transactions or all user types with the same ID.

Fixed Issues (if relevant)

Current implementation will add:

  • New ACL roles for give possibilities for Admin define permissions for Admin/Integration user to have access only to specific user types operations.
  • With restricted user role, Admin will be able to see only operations that are assigned to him, View detailes or Restart them
  • Also Admin notifications will be restricted only to allowed.

Questions or comments

Auto tests still in process, but main implementation can be already reviewed.

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds are green)

Metadata

Metadata

Assignees

Labels

Area: Admin UIComponent: AsynchronousOperationsComponent: BulkIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedIssue: Format is not validGate 1 Failed. Automatic verification of issue format is failedPriority: P2A defect with this priority could have functionality issues which are not to expectations.Progress: PR in progressReported on 2.4.0Indicates original Magento version for the Issue report.Reported on 2.4.xIndicates original Magento version for the Issue report.Reproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branchSeverity: S2Major restrictions or short-term circumventions are required until a fix is available.

Type

No type

Projects

High Priority Backlog

Status

Pull Request In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions