BB-14072: Problems with permissions and roles (#17589)

- fixed Brand ACLs - fixed PriceAttributePriceList ACLs - fixed Tax ACLs - fixed InventoryLevel ACLs - fixed ContactReason ACLs - fixed display of empty menu items - fixed security configs on entities & controllers without ACLs - added behat test which checks that user without permissions see no nav menu items
oroinc · Apr 4, 2018 · 4cddfeb · 4cddfeb
1 parent 0f1c037
commit 4cddfeb
Show file tree

Hide file tree

Showing 10 changed files with 81 additions and 18 deletions.
diff --git a/src/Oro/Bundle/InventoryBundle/Controller/InventoryLevelController.php b/src/Oro/Bundle/InventoryBundle/Controller/InventoryLevelController.php
@@ -8,7 +8,6 @@
 use Oro\Bundle\InventoryBundle\Form\Type\InventoryLevelGridType;
 use Oro\Bundle\ProductBundle\Entity\Product;
 use Oro\Bundle\SecurityBundle\Annotation\Acl;
-use Oro\Bundle\SecurityBundle\Annotation\AclAncestor;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
@@ -17,13 +16,20 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
+/**
+ * CRUD controller for InventoryLevel entity
+ */
 class InventoryLevelController extends Controller
 {
     /**
      * @Route("/", name="oro_inventory_level_index")
      * @Template
-     * @AclAncestor("oro_inventory_level_index")
-     *
+     * @Acl(
+     *      id="oro_inventory_level_view",
+     *      type="entity",
+     *      class="OroInventoryBundle:InventoryLevel",
+     *      permission="VIEW"
+     * )
      * @return array
      */
     public function indexAction()

diff --git a/src/Oro/Bundle/PricingBundle/Entity/PriceAttributePriceList.php b/src/Oro/Bundle/PricingBundle/Entity/PriceAttributePriceList.php
@@ -8,12 +8,20 @@
 use Oro\Bundle\EntityConfigBundle\Metadata\Annotation\ConfigField;
 
 /**
+ * This entity represents price list with price attributes
+ *
  * @ORM\Table(name="oro_price_attribute_pl")
  * @ORM\Entity(repositoryClass="Oro\Bundle\PricingBundle\Entity\Repository\PriceAttributePriceListRepository")
  * @Config(
  *      routeName="oro_pricing_price_attribute_price_list_index",
  *      routeView="oro_pricing_price_attribute_price_list_view",
- *      routeUpdate="oro_pricing_price_attribute_price_list_update"
+ *      routeUpdate="oro_pricing_price_attribute_price_list_update",
+ *      defaultValues={
+ *          "security"={
+ *              "type"="ACL",
+ *              "group_name"=""
+ *          },
+ *      }
  * )
  */
 class PriceAttributePriceList extends BasePriceList

diff --git a/src/Oro/Bundle/PricingBundle/Resources/views/PriceAttributePriceList/index.html.twig b/src/Oro/Bundle/PricingBundle/Resources/views/PriceAttributePriceList/index.html.twig
@@ -4,7 +4,7 @@
 {% set pageTitle = 'oro.pricing.priceattributepricelist.entity_plural_label'|trans %}
 
 {% block navButtons %}
-    {% if is_granted('oro_pricing_price_list_create') %}
+    {% if is_granted('oro_pricing_price_attribute_price_list_create') %}
         <div class="btn-group">
             {{ UI.addButton({
                 'path': path('oro_pricing_price_attribute_price_list_create'),

diff --git a/src/Oro/Bundle/ProductBundle/Controller/Api/Rest/BrandController.php b/src/Oro/Bundle/ProductBundle/Controller/Api/Rest/BrandController.php
@@ -9,11 +9,14 @@
 use FOS\RestBundle\Routing\ClassResourceInterface;
 use Nelmio\ApiDocBundle\Annotation\ApiDoc;
 use Oro\Bundle\SecurityBundle\Annotation\Acl;
+use Oro\Bundle\SecurityBundle\Annotation\AclAncestor;
 use Oro\Bundle\SoapBundle\Controller\Api\Rest\RestController;
 use Oro\Bundle\SoapBundle\Entity\Manager\ApiEntityManager;
 use Oro\Bundle\SoapBundle\Form\Handler\ApiFormHandler;
 
 /**
+ * API CRUD controller for Brand entity
+ *
  * @RouteResource("brand")
  * @NamePrefix("oro_api_")
  */
@@ -25,12 +28,7 @@ class BrandController extends RestController implements ClassResourceInterface
      *     description="Get sissue",
      *     resource=true
      * )
-     * @Acl(
-     *      id="oro_product_brand_view",
-     *      type="entity",
-     *      class="OroProductBundle:Brand",
-     *      permission="VIEW"
-     * )
+     * @AclAncestor("oro_product_brand_view")
      * @Get(requirements={"id"="\d+"})
      *
      * @return \Symfony\Component\HttpFoundation\Response

diff --git a/src/Oro/Bundle/ProductBundle/Controller/BrandController.php b/src/Oro/Bundle/ProductBundle/Controller/BrandController.php
@@ -4,6 +4,7 @@
 
 use Oro\Bundle\ProductBundle\Entity\Brand;
 use Oro\Bundle\ProductBundle\Form\Type\BrandType;
+use Oro\Bundle\SecurityBundle\Annotation\Acl;
 use Oro\Bundle\SecurityBundle\Annotation\AclAncestor;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
@@ -12,12 +13,20 @@
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 
+/**
+ * CRUD controller for Brand entity
+ */
 class BrandController extends Controller
 {
     /**
      * @Route("/", name="oro_product_brand_index")
      * @Template
-     *
+     * @Acl(
+     *      id="oro_product_brand_view",
+     *      type="entity",
+     *      class="OroProductBundle:Brand",
+     *      permission="VIEW"
+     * )
      * @return array
      */
     public function indexAction()
@@ -30,7 +39,12 @@ public function indexAction()
     /**
      * @Route("/create", name="oro_product_brand_create")
      * @Template("OroProductBundle:Brand:update.html.twig")
-     *
+     * @Acl(
+     *      id="oro_product_brand_create",
+     *      type="entity",
+     *      class="OroProductBundle:Brand",
+     *      permission="CREATE"
+     * )
      * @param Request $request
      * @return array|RedirectResponse
      */
@@ -42,7 +56,12 @@ public function createAction(Request $request)
     /**
      * @Route("/update/{id}", name="oro_product_brand_update", requirements={"id"="\d+"})
      * @Template
-     *
+     * @Acl(
+     *      id="oro_product_brand_update",
+     *      type="entity",
+     *      class="OroProductBundle:Brand",
+     *      permission="EDIT"
+     * )
      * @param Brand   $brand
      * @param Request $request
      * @return array|RedirectResponse

diff --git a/src/Oro/Bundle/ProductBundle/Resources/config/oro/datagrids.yml b/src/Oro/Bundle/ProductBundle/Resources/config/oro/datagrids.yml
@@ -796,6 +796,7 @@ datagrids:
                 rowAction:     true
 
     brand-grid:
+        acl_resource: oro_product_brand_view
         extended_entity_name: '%oro_product.entity.brand.class%'
         source:
             type: orm

diff --git a/src/Oro/Bundle/TaxBundle/Entity/ProductTaxCode.php b/src/Oro/Bundle/TaxBundle/Entity/ProductTaxCode.php
@@ -7,6 +7,8 @@
 use Oro\Bundle\TaxBundle\Model\TaxCodeInterface;
 
 /**
+ * Entity that represents tax code
+ *
  * @ORM\Entity(repositoryClass="Oro\Bundle\TaxBundle\Entity\Repository\ProductTaxCodeRepository")
  * @ORM\Table(name="oro_tax_product_tax_code")
  * @ORM\HasLifecycleCallbacks
@@ -20,7 +22,11 @@
  *          },
  *          "dataaudit"={
  *              "auditable"=true
- *          }
+ *          },
+ *          "security"={
+ *              "type"="ACL",
+ *              "group_name"=""
+ *          },
  *      }
  * )
  */

diff --git a/src/Oro/Bundle/TaxBundle/Entity/Tax.php b/src/Oro/Bundle/TaxBundle/Entity/Tax.php
@@ -9,13 +9,21 @@
 use Oro\Bundle\EntityConfigBundle\Metadata\Annotation\ConfigField;
 
 /**
+ * Entity that represents tax
+ *
  * @ORM\Entity
  * @ORM\Table(name="oro_tax")
  * @ORM\HasLifecycleCallbacks
  * @Config(
  *      routeName="oro_tax_index",
  *      routeView="oro_tax_view",
- *      routeUpdate="oro_tax_update"
+ *      routeUpdate="oro_tax_update",
+ *      defaultValues={
+ *          "security"={
+ *              "type"="ACL",
+ *              "group_name"=""
+ *          },
+ *      }
  * )
  */
 class Tax implements DatesAwareInterface

diff --git a/src/Oro/Bundle/TaxBundle/Entity/TaxJurisdiction.php b/src/Oro/Bundle/TaxBundle/Entity/TaxJurisdiction.php
@@ -13,13 +13,22 @@
 use Oro\Bundle\EntityConfigBundle\Metadata\Annotation\ConfigField;
 
 /**
+ * Entity that represents tax jusrisdiction
+ *
  * @ORM\Entity
  * @ORM\Table("oro_tax_jurisdiction")
  * @ORM\HasLifecycleCallbacks
  * @Config(
  *     mode="hidden",
  *     routeName="oro_tax_jurisdiction_index",
- *     routeUpdate="oro_tax_jurisdiction_update"
+ *     routeView="oro_tax_jurisdiction_view",
+ *     routeUpdate="oro_tax_jurisdiction_update",
+ *     defaultValues={
+ *         "security"={
+ *             "type"="ACL",
+ *             "group_name"=""
+ *         },
+ *     }
  * )
  */
 class TaxJurisdiction implements DatesAwareInterface

diff --git a/src/Oro/Bundle/TaxBundle/Entity/TaxRule.php b/src/Oro/Bundle/TaxBundle/Entity/TaxRule.php
@@ -9,13 +9,21 @@
 use Oro\Bundle\EntityConfigBundle\Metadata\Annotation\ConfigField;
 
 /**
+ * Entity that represents tax rule
+ *
  * @ORM\Entity(repositoryClass="Oro\Bundle\TaxBundle\Entity\Repository\TaxRuleRepository")
  * @ORM\Table(name="oro_tax_rule")
  * @ORM\HasLifecycleCallbacks
  * @Config(
  *      routeName="oro_tax_rule_index",
  *      routeView="oro_tax_rule_view",
- *      routeUpdate="oro_tax_rule_update"
+ *      routeUpdate="oro_tax_rule_update",
+ *      defaultValues={
+ *          "security"={
+ *              "type"="ACL",
+ *              "group_name"=""
+ *          },
+ *      }
  * )
  */
 class TaxRule implements DatesAwareInterface