Skip to content

[Backport] Fixed issue products grid operations in admin cart price rule edit page for user which has no access to CatalogRule module #15100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Backport] Fixed issue products grid operations in admin cart price rule edit page for user which has no access to CatalogRule module #15100

wants to merge 1 commit into from

Conversation

@sergiy-v
Copy link
Contributor

@sergiy-v sergiy-v commented May 9, 2018

Original PR: #14886.

Preconditions

Magento 2.2 have multiple admin user roles with access restrictions to some resources. Role has access to cart price rules, but it restricted to catalog rules rules.

Problem

When admin user with role mentioned above tried in edit/new cart price rule, in conditions settings add “SKU” condition, and then select products from loaded product grid – all grid navigation, sorting and filtering operations will lead to “403” redirect.

Reason
When magento loaded products grid for selecting product sku for cart price rules it use controller action which is inherited from similar one form CatalogRule module, this controller render its block Magento\CatalogRule\Block\Adminhtml\Promo\Widget\Chooser\Sku (which generate product grid HTML and JavaScript). This block method “getGridUrl” generates urls with route 'catalog_rule/*/chooser', so all requests for updating products grid data will lead to CatalogRule module controller. But current user has no access to CatalogRule routes so it get 403 response.



Solution

Modify method Magento\CatalogRule\Block\Adminhtml\Promo\Widget\Chooser\Sku::getGridUrl() method. Change route parameter which it pass in “getUrl” method from “catalog_rule//chooser” to “/*/chooser”.

@sergiy-v sergiy-v requested a review from rogyar May 9, 2018 11:34
@magento-engcom-team magento-engcom-team added this to the May 2018 milestone May 9, 2018
@magento-engcom-team magento-engcom-team added Release Line: 2.1 Partner: Atwix Pull Request is created by partner Atwix partners-contribution Pull Request is created by Magento Partner labels May 9, 2018
@VladimirZaets
Copy link
Contributor

VladimirZaets commented May 11, 2018

Hi @sergiy-v.
Current PR doesn't fixed problem.

Steps to reproduce:
Go To Magento Admin
Create New User Role and grant to it permission for Shopping Cart rules, but NOT for Catalog Price Rules
Create New user and assign to created role
Login to Admin with new user
Go to Shopping Cart rules
Go to Conditions Section and create sub-selection of products with "SKU is:" and try to choose products

Expected result:
Product grid is shown

Actual result:
Redirecting to admin/sales_rule/ page with 404 Error

@sidolov
Copy link
Contributor

sidolov commented May 30, 2018

@sergiy-v , I am closing this PR now due to inactivity.
Please reopen and update if you wish to continue.
Thank you for collaboration!

@sidolov sidolov closed this May 30, 2018
@sergiy-v sergiy-v deleted the feature/acl-shopping-rules-fix branch February 28, 2020 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rogyar rogyar Awaiting requested review from rogyar

Assignees

@sidolov sidolov

Labels

Partner: Atwix Pull Request is created by partner Atwix partners-contribution Pull Request is created by Magento Partner Progress: needs update Release Line: 2.1

Projects

None yet

Milestone

May 2018

Development

Successfully merging this pull request may close these issues.

4 participants

@sergiy-v @VladimirZaets @sidolov @magento-engcom-team