Custom role backend user cannot place an admin order using Braintree payment

[goivvy]

Preconditions

1. Magento 2.2.2

Steps to reproduce

1. In backend create a custom role RoleX with limited access. Make sure you choose all Sales permissions.
2. Create a backend user UserX and assign it to RoleX.
3. Enable Braintree credit card payment.
4. Login to backend as UserX and try to place an admin order using Braintree payment.

Expected result

1. An admin order is created.

Actual result

1. You cannot add credit card details, it is inactive.
2. Request to admin/braintree/payment/getClientToken returns 403.

It happens because vendor/magento/module-braintree/Controller/Adminhtml/Payment/GetClientToken.php references ADMIN_RESOURCE = 'Magento_Braintree::get_client_token' but that resource is not defined in vendor/magento/module-braintree/etc/acl.xml.

Adding it to acl.xml:

and then setting it for RoleX solves the problem.

[magento-engcom-team]

@goivvy, thank you for your report.
We've acknowledged the issue and added to our backlog.

[matthewscalf]

Any update on this? Seems pretty urgent as you can't setup a customer service rep to create orders in the admin without it. Can't give customer service god mode. Makes no sense.

[jzahedieh]

Can also confirm this was included in 2.1.11

https://github.com/magento/magento2/blob/2.1.11/app/code/Magento/Braintree/Controller/Adminhtml/Payment/GetClientToken.php

[timbaker1991]

@jzahedieh Whislt this is fixed in 2.1.x the 2.2.x branch has this issue which, as @matthewscalf points out, is a fairly severe issue!

I have temporarily fixed this by adding

<resource id="Magento_Braintree::get_client_token" title="Get Client Token (HOT FIX)" sortOrder="80" />

to the acl.xml file in the Braintree module. This permission can then be given to other user roles.

For people like me who struggled to find this via Google, the error message thrown is

"A technical problem with the server created an error. try to continue what you were doing"

[shamoon]

@timbaker1991 Thank you so much for this fix, worked for me!

I can't believe this issue is just roaming around the wild unaddressed, seems like a major issue and still present in CE 2.2.6

[vetshopdeveloper]

@magento-engcom-team this has been confirmed since the 7th of Feb, please advise when a fix will be available