Merge pull request #9225 from magento-cia/cia-2.4.8-beta1-develop-bugfix-09022024

Cia 2.4.8 beta1 develop bugfix 09022024

Author: pawan-adobe-security

app/code/Magento/AdvancedSearch/Controller/Adminhtml/Search/System/Config/TestConnection.php

@@ -4,22 +4,27 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\AdvancedSearch\Controller\Adminhtml\Search\System\Config;
 
 use Magento\Backend\App\Action;
 use Magento\Backend\App\Action\Context;
 use Magento\AdvancedSearch\Model\Client\ClientResolver;
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Framework\Controller\Result\Json;
 use Magento\Framework\Controller\Result\JsonFactory;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Filter\StripTags;
 
-class TestConnection extends Action
+class TestConnection extends Action implements HttpPostActionInterface
 {
     /**
      * Authorization level of a basic admin session.
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_CatalogSearch::config_catalog_search';
+    public const ADMIN_RESOURCE = 'Magento_Catalog::config_catalog';
 
     /**
      * @var ClientResolver
@@ -57,7 +62,7 @@ public function __construct(
     /**
      * Check for connection to server
      *
-     * @return \Magento\Framework\Controller\Result\Json
+     * @return Json
      */
     public function execute()
     {
@@ -69,22 +74,22 @@ public function execute()
 
         try {
             if (empty($options['engine'])) {
-                throw new \Magento\Framework\Exception\LocalizedException(
+                throw new LocalizedException(
                     __('Missing search engine parameter.')
                 );
             }
             $response = $this->clientResolver->create($options['engine'], $options)->testConnection();
             if ($response) {
                 $result['success'] = true;
             }
-        } catch (\Magento\Framework\Exception\LocalizedException $e) {
+        } catch (LocalizedException $e) {
             $result['errorMessage'] = $e->getMessage();
         } catch (\Exception $e) {
             $message = __($e->getMessage());
             $result['errorMessage'] = $this->tagFilter->filter($message);
         }
 
-        /** @var \Magento\Framework\Controller\Result\Json $resultJson */
+        /** @var Json $resultJson */
         $resultJson = $this->resultJsonFactory->create();
         return $resultJson->setData($result);
     }

app/code/Magento/Backend/Controller/Adminhtml/System/Design.php

@@ -14,10 +14,10 @@ abstract class Design extends Action
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Backend::design';
+    public const ADMIN_RESOURCE = 'Magento_Backend::schedule';
 
     /**
-     * Core registry
+     * Core registry instance
      *
      * @var \Magento\Framework\Registry
      */

app/code/Magento/CatalogSearch/etc/acl.xml

@@ -13,12 +13,12 @@
                     <resource id="Magento_Backend::stores_settings">
                         <resource id="Magento_Config::config">
                             <resource id="Magento_Catalog::config_catalog" title="Catalog Section" translate="title">
-                                <resource id="Magento_CatalogSearch::config_catalog_search" title="Catalog Search" translate="title" sortOrder="10" />
+                                <resource id="Magento_CatalogSearch::config_catalog_search" title="Catalog Search" translate="title" sortOrder="10" disabled="true" />
                             </resource>
                         </resource>
                     </resource>
                 </resource>
             </resource>
         </resources>
     </acl>
-</config>
+</config>

app/code/Magento/Cms/Block/Adminhtml/Block/Widget/Chooser.php

@@ -96,7 +96,7 @@ public function prepareElementHtml(\Magento\Framework\Data\Form\Element\Abstract
      */
     public function getRowClickCallback()
     {
-        $chooserJsObject = $this->getId();
+        $chooserJsObject = $this->_escaper->escapeJs($this->getId());
         $js = '
             function (grid, event) {
                 var trElement = Event.findElement(event, "tr");

app/code/Magento/Cms/Block/Adminhtml/Page/Widget/Chooser.php

@@ -8,7 +8,6 @@
 /**
  * CMS page chooser for Wysiwyg CMS widget
  *
- * @author     Magento Core Team <[email protected]>
  */
 class Chooser extends \Magento\Backend\Block\Widget\Grid\Extended
 {
@@ -65,7 +64,6 @@ public function __construct(
     protected function _construct()
     {
         parent::_construct();
-        //$this->setDefaultSort('name');
         $this->setUseAjax(true);
         $this->setDefaultFilter(['chooser_is_active' => '1']);
     }
@@ -113,7 +111,7 @@ public function prepareElementHtml(\Magento\Framework\Data\Form\Element\Abstract
      */
     public function getRowClickCallback()
     {
-        $chooserJsObject = $this->getId();
+        $chooserJsObject = $this->_escaper->escapeJs($this->getId());
         $js = '
             function (grid, event) {
                 var trElement = Event.findElement(event, "tr");

app/code/Magento/Customer/Controller/Adminhtml/Cart/Product/Composite/Cart.php

@@ -12,6 +12,7 @@
 use Magento\Quote\Model\Quote\Item;
 use Magento\Quote\Model\QuoteFactory;
 use Magento\Quote\Model\ResourceModel\QuoteItemRetriever;
+use Magento\Framework\AuthorizationInterface;
 
 /**
  * Catalog composite product configuration controller
@@ -60,21 +61,30 @@ abstract class Cart extends \Magento\Backend\App\Action
      * @var QuoteItemRetriever
      */
     private $quoteItemRetriever;
+
+    /**
+     * @var AuthorizationInterface
+     */
+    protected $_authorization;
+
     /**
      * @param Action\Context $context
      * @param CartRepositoryInterface $quoteRepository
      * @param QuoteFactory $quoteFactory
      * @param QuoteItemRetriever $quoteItemRetriever
+     * @param AuthorizationInterface $authorization
      */
     public function __construct(
         Action\Context $context,
         CartRepositoryInterface $quoteRepository,
         QuoteFactory $quoteFactory,
-        QuoteItemRetriever $quoteItemRetriever
+        QuoteItemRetriever $quoteItemRetriever,
+        AuthorizationInterface $authorization
     ) {
         $this->quoteRepository = $quoteRepository;
         $this->quoteFactory = $quoteFactory;
         $this->quoteItemRetriever = $quoteItemRetriever;
+        $this->_authorization = $authorization;
         parent::__construct($context);
     }
 
@@ -112,4 +122,13 @@ protected function _initData()
 
         return $this;
     }
+
+    /**
+     * @inheritdoc
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed(self::ADMIN_RESOURCE)
+            && $this->_authorization->isAllowed('Magento_Cart::cart');
+    }
 }

app/code/Magento/Customer/Controller/Adminhtml/Index/Cart.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Customer\Controller\Adminhtml\Index;
 
 use Magento\Backend\App\Action\Context;
@@ -43,6 +45,7 @@
  *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @deprecated 101.0.0
+ * @see no alternatives
  */
 class Cart extends BaseAction implements HttpGetActionInterface, HttpPostActionInterface
 {
@@ -55,6 +58,13 @@ class Cart extends BaseAction implements HttpGetActionInterface, HttpPostActionI
      */
     private $storeManager;
 
+    /**
+     * Authorization level of a basic admin cart
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Cart::cart';
+
     /**
      * Constructor
      *

app/code/Magento/Customer/Controller/Adminhtml/Index/Carts.php

@@ -3,10 +3,23 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Customer\Controller\Adminhtml\Index;
 
-class Carts extends \Magento\Customer\Controller\Adminhtml\Index
+use Magento\Customer\Controller\Adminhtml\Index as BaseAction;
+use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
+
+class Carts extends BaseAction implements HttpGetActionInterface, HttpPostActionInterface
 {
+    /**
+     * Authorization level of a basic admin cart
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Cart::cart';
+
     /**
      * Get shopping carts from all websites for specified client
      *

app/code/Magento/Sales/Controller/Adminhtml/Order/Create.php

@@ -26,6 +26,10 @@ abstract class Create extends \Magento\Backend\App\Action
      * Indicates how to process post data
      */
     private const ACTION_SAVE = 'save';
+    /**
+     * Controller name for edit actions
+     */
+    private const CONTROLLER_NAME_ORDER_EDIT = 'order_edit';
     /**
      * @var \Magento\Framework\Escaper
      */
@@ -380,6 +384,9 @@ protected function _getAclResource()
         if (in_array($action, ['index', 'save', 'cancel']) && $this->_getSession()->getReordered()) {
             $action = 'reorder';
         }
+        if (strtolower($this->getRequest()->getControllerName() ?? '') === self::CONTROLLER_NAME_ORDER_EDIT) {
+            $action = 'actions_edit';
+        }
         switch ($action) {
             case 'index':
             case 'save':
@@ -391,6 +398,9 @@ protected function _getAclResource()
             case 'cancel':
                 $aclResource = 'Magento_Sales::cancel';
                 break;
+            case 'actions_edit':
+                $aclResource = 'Magento_Sales::actions_edit';
+                break;
             default:
                 $aclResource = 'Magento_Sales::actions';
                 break;

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Cancel.php

@@ -6,8 +6,18 @@
  */
 namespace Magento\Sales\Controller\Adminhtml\Order\Invoice;
 
-class Cancel extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View;
+
+class Cancel extends View implements HttpPostActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Cancel invoice action
      *

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Capture.php

@@ -6,8 +6,18 @@
  */
 namespace Magento\Sales\Controller\Adminhtml\Order\Invoice;
 
-class Capture extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View;
+
+class Capture extends View implements HttpPostActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Capture invoice action
      *

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/NewAction.php

@@ -23,7 +23,7 @@ class NewAction extends \Magento\Backend\App\Action implements HttpGetActionInte
      *
      * @see _isAllowed()
      */
-    const ADMIN_RESOURCE = 'Magento_Sales::sales_invoice';
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
 
     /**
      * @var Registry

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Save.php

@@ -30,7 +30,7 @@ class Save extends \Magento\Backend\App\Action implements HttpPostActionInterfac
      *
      * @see _isAllowed()
      */
-    public const ADMIN_RESOURCE = 'Magento_Sales::sales_invoice';
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
 
     /**
      * @var InvoiceSender

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/Start.php

@@ -10,6 +10,13 @@
 
 class Start extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View implements HttpGetActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Start create invoice action
      *

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/UpdateQty.php

@@ -18,11 +18,19 @@
 use Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View as AbstractView;
 
 /**
- * Class UpdateQty
+ * Class UpdateQty to update invoice items qty
+ *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class UpdateQty extends AbstractView implements HttpPostActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * @var JsonFactory
      */

app/code/Magento/Sales/Controller/Adminhtml/Order/Invoice/VoidAction.php

@@ -6,8 +6,18 @@
  */
 namespace Magento\Sales\Controller\Adminhtml\Order\Invoice;
 
-class VoidAction extends \Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Sales\Controller\Adminhtml\Invoice\AbstractInvoice\View;
+
+class VoidAction extends View implements HttpPostActionInterface
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Sales::invoice';
+
     /**
      * Void invoice action
      *