[Issue] Bulk ACL management for AsynchronousOperations Admin UI #29757
Labels
Area: Admin UI
Component: AsynchronousOperations
Component: Bulk
Issue: Confirmed
Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed
Issue: Format is not valid
Gate 1 Failed. Automatic verification of issue format is failed
Priority: P2
A defect with this priority could have functionality issues which are not to expectations.
Progress: PR in progress
Reported on 2.4.x
Indicates original Magento version for the Issue report.
Reported on 2.4.0
Indicates original Magento version for the Issue report.
Reproduced on 2.4.x
The issue has been reproduced on latest 2.4-develop branch
Severity: S2
Major restrictions or short-term circumventions are required until a fix is available.
Projects
This issue is automatically created based on existing pull request: #27580: Bulk ACL management for AsynchronousOperations Admin UI
Description (*)
After Migrating of Asynchronous Operations from Magento Commerce to Magento Open Source, looks like part of functionality was extended.
In details:
In magento_bulk table was added user_type, which defines type of the user who created Bulk Operation.
Possible types are:
In current implementation all Admin UI components have no idea about user type:
https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/AsynchronousOperations/view/adminhtml/ui_component/bulk_listing.xml - in default Grid there are NO DataSource is defined, so Admin see the whole operations, but at the same time, he cannot see Details of those operations:
https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/AsynchronousOperations/Controller/Adminhtml/Bulk/Details.php#L52
But at you can see from implementation,
https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/AsynchronousOperations/Model/AccessValidator.php#L58
that permissions are checked based on UserID and fully ignoring UserType. Which means, that Admin has access to All transactions or all user types with the same ID.
Fixed Issues (if relevant)
Current implementation will add:
Questions or comments
Auto tests still in process, but main implementation can be already reviewed.
Contribution checklist (*)
The text was updated successfully, but these errors were encountered: