Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin user with restricted "order create" access can "view", "cancel", etc via API #20169

Closed
milindsingh opened this issue Jan 10, 2019 · 5 comments
Closed

Admin user with restricted "order create" access can "view", "cancel", etc via API #20169

milindsingh opened this issue Jan 10, 2019 · 5 comments
Assignees
@GovindaSharma
Labels
Component: Framework/Api USE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog Service Contracts use just Catalog Fixed in 2.2.x The issue has been fixed in 2.2 release line Fixed in 2.3.x The issue has been fixed in 2.3 release line Issue: Clear Description Gate 2 Passed. Manual verification of the issue description passed Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Issue: Format is valid Gate 1 Passed. Automatic verification of issue format passed Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development Reproduced on 2.2.x The issue has been reproduced on latest 2.2 release Reproduced on 2.3.x The issue has been reproduced on latest 2.3 release

Comments

@milindsingh
Copy link
Member

milindsingh commented Jan 10, 2019
edited
Loading

Preconditions (*)

  1. Magento 2.3

Steps to reproduce (*)

  1. Create an Admin user with Order create access only. (as in image)
  2. Login to Admin panel and verify the access.
  3. Login to API via swagger and call the salesOrderRepositoryV1 and salesOrderManagementV1 API's.
    macklaber

Expected result (*)

  1. User can only create order neither view or cancel

Actual result (*)

  1. User have the complete order access

Additional Information

  • The same resource Magento_Sales::sales is assigned to all the actions.

    magento2/app/code/Magento/Sales/etc/webapi.xml

    Lines 8 to 280 in e62d140

    <routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Webapi:etc/webapi.xsd">
    <route url="/V1/orders/:id" method="GET">
    <service class="Magento\Sales\Api\OrderRepositoryInterface" method="get"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders" method="GET">
    <service class="Magento\Sales\Api\OrderRepositoryInterface" method="getList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:id/statuses" method="GET">
    <service class="Magento\Sales\Api\OrderManagementInterface" method="getStatus"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:id/cancel" method="POST">
    <service class="Magento\Sales\Api\OrderManagementInterface" method="cancel"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:id/emails" method="POST">
    <service class="Magento\Sales\Api\OrderManagementInterface" method="notify"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:id/hold" method="POST">
    <service class="Magento\Sales\Api\OrderManagementInterface" method="hold"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:id/unhold" method="POST">
    <service class="Magento\Sales\Api\OrderManagementInterface" method="unHold"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:id/comments" method="POST">
    <service class="Magento\Sales\Api\OrderManagementInterface" method="addComment"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:id/comments" method="GET">
    <service class="Magento\Sales\Api\OrderManagementInterface" method="getCommentsList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/create" method="PUT">
    <service class="Magento\Sales\Api\OrderRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/:parent_id" method="PUT">
    <service class="Magento\Sales\Api\OrderAddressRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/items/:id" method="GET">
    <service class="Magento\Sales\Api\OrderItemRepositoryInterface" method="get"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/items" method="GET">
    <service class="Magento\Sales\Api\OrderItemRepositoryInterface" method="getList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices/:id" method="GET">
    <service class="Magento\Sales\Api\InvoiceRepositoryInterface" method="get"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices" method="GET">
    <service class="Magento\Sales\Api\InvoiceRepositoryInterface" method="getList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices/:id/comments" method="GET">
    <service class="Magento\Sales\Api\InvoiceManagementInterface" method="getCommentsList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices/:id/emails" method="POST">
    <service class="Magento\Sales\Api\InvoiceManagementInterface" method="notify"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices/:id/void" method="POST">
    <service class="Magento\Sales\Api\InvoiceManagementInterface" method="setVoid"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices/:id/capture" method="POST">
    <service class="Magento\Sales\Api\InvoiceManagementInterface" method="setCapture"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices/comments" method="POST">
    <service class="Magento\Sales\Api\InvoiceCommentRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoices/" method="POST">
    <service class="Magento\Sales\Api\InvoiceRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/invoice/:invoiceId/refund" method="POST">
    <service class="Magento\Sales\Api\RefundInvoiceInterface" method="execute"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemo/:id/comments" method="GET">
    <service class="Magento\Sales\Api\CreditmemoManagementInterface" method="getCommentsList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemos" method="GET">
    <service class="Magento\Sales\Api\CreditmemoRepositoryInterface" method="getList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemo/:id" method="GET">
    <service class="Magento\Sales\Api\CreditmemoRepositoryInterface" method="get"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemo/:id" method="PUT">
    <service class="Magento\Sales\Api\CreditmemoManagementInterface" method="cancel"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemo/:id/emails" method="POST">
    <service class="Magento\Sales\Api\CreditmemoManagementInterface" method="notify"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemo/refund" method="POST">
    <service class="Magento\Sales\Api\CreditmemoManagementInterface" method="refund"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemo/:id/comments" method="POST">
    <service class="Magento\Sales\Api\CreditmemoCommentRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/creditmemo" method="POST">
    <service class="Magento\Sales\Api\CreditmemoRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/order/:orderId/refund" method="POST">
    <service class="Magento\Sales\Api\RefundOrderInterface" method="execute"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/:id" method="GET">
    <service class="Magento\Sales\Api\ShipmentRepositoryInterface" method="get"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipments" method="GET">
    <service class="Magento\Sales\Api\ShipmentRepositoryInterface" method="getList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/:id/comments" method="GET">
    <service class="Magento\Sales\Api\ShipmentManagementInterface" method="getCommentsList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/:id/comments" method="POST">
    <service class="Magento\Sales\Api\ShipmentCommentRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/:id/emails" method="POST">
    <service class="Magento\Sales\Api\ShipmentManagementInterface" method="notify"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/track" method="POST">
    <service class="Magento\Sales\Api\ShipmentTrackRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/track/:id" method="DELETE">
    <service class="Magento\Sales\Api\ShipmentTrackRepositoryInterface" method="deleteById"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/" method="POST">
    <service class="Magento\Sales\Api\ShipmentRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/shipment/:id/label" method="GET">
    <service class="Magento\Sales\Api\ShipmentManagementInterface" method="getLabel"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/order/:orderId/ship" method="POST">
    <service class="Magento\Sales\Api\ShipOrderInterface" method="execute"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/orders/" method="POST">
    <service class="Magento\Sales\Api\OrderRepositoryInterface" method="save"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/transactions/:id" method="GET">
    <service class="Magento\Sales\Api\TransactionRepositoryInterface" method="get"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/transactions" method="GET">
    <service class="Magento\Sales\Api\TransactionRepositoryInterface" method="getList"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    <route url="/V1/order/:orderId/invoice" method="POST">
    <service class="Magento\Sales\Api\InvoiceOrderInterface" method="execute"/>
    <resources>
    <resource ref="Magento_Sales::sales" />
    </resources>
    </route>
    </routes>

  • While the different level of resources are available in the Sales module acl.xml.

    magento2/app/code/Magento/Sales/etc/acl.xml

    Lines 1 to 54 in d7ac52b

    <?xml version="1.0"?>
    <!--
    /**
    * Copyright © Magento, Inc. All rights reserved.
    * See COPYING.txt for license details.
    */
    -->
    <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <acl>
    <resources>
    <resource id="Magento_Backend::admin">
    <resource id="Magento_Sales::sales" title="Sales" translate="title" sortOrder="20">
    <resource id="Magento_Sales::sales_operation" title="Operations" translate="title" sortOrder="10">
    <resource id="Magento_Sales::sales_order" title="Orders" translate="title" sortOrder="10">
    <resource id="Magento_Sales::actions" title="Actions" translate="title" sortOrder="10">
    <resource id="Magento_Sales::create" title="Create" translate="title" sortOrder="10" />
    <resource id="Magento_Sales::actions_view" title="View" translate="title" sortOrder="20" />
    <resource id="Magento_Sales::email" title="Send Order Email" translate="title" sortOrder="30" />
    <resource id="Magento_Sales::reorder" title="Reorder" translate="title" sortOrder="40" />
    <resource id="Magento_Sales::actions_edit" title="Edit" translate="title" sortOrder="50" />
    <resource id="Magento_Sales::cancel" title="Cancel" translate="title" sortOrder="60" />
    <resource id="Magento_Sales::review_payment" title="Accept or Deny Payment" translate="title" sortOrder="70" />
    <resource id="Magento_Sales::capture" title="Capture" translate="title" sortOrder="80" />
    <resource id="Magento_Sales::invoice" title="Invoice" translate="title" sortOrder="90" />
    <resource id="Magento_Sales::creditmemo" title="Credit Memos" translate="title" sortOrder="100" />
    <resource id="Magento_Sales::hold" title="Hold" translate="title" sortOrder="110" />
    <resource id="Magento_Sales::unhold" title="Unhold" translate="title" sortOrder="120" />
    <resource id="Magento_Sales::ship" title="Ship" translate="title" sortOrder="130" />
    <resource id="Magento_Sales::comment" title="Comment" translate="title" sortOrder="140" />
    <resource id="Magento_Sales::emails" title="Send Sales Emails" translate="title" sortOrder="150" />
    </resource>
    </resource>
    <resource id="Magento_Sales::sales_invoice" title="Invoices" translate="title" sortOrder="20" />
    <resource id="Magento_Sales::shipment" title="Shipments" translate="title" sortOrder="30" />
    <resource id="Magento_Sales::sales_creditmemo" title="Credit Memos" translate="title" sortOrder="40" />
    <resource id="Magento_Sales::transactions" title="Transactions" translate="title" sortOrder="70">
    <resource id="Magento_Sales::transactions_fetch" title="Fetch" translate="title" sortOrder="10" />
    </resource>
    </resource>
    </resource>
    <resource id="Magento_Backend::stores">
    <resource id="Magento_Backend::stores_settings">
    <resource id="Magento_Sales::order_statuses" title="Order Status" translate="title" sortOrder="40" />
    <resource id="Magento_Config::config">
    <resource id="Magento_Sales::config_sales" title="Sales Section" translate="title" sortOrder="60" />
    <resource id="Magento_Sales::sales_email" title="Sales Emails Section" translate="title" sortOrder="65" />
    <resource id="Magento_Sales::sales_pdf" title="PDF Print-outs" sortOrder="66" />
    </resource>
    </resource>
    </resource>
    </resource>
    </resources>
    </acl>
    </config>

@magento-engcom-team
Copy link
Contributor

Hi @milindsingh. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

  • Summary of the issue
  • Information on your environment
  • Steps to reproduce
  • Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento-engcom-team give me $VERSION instance

where $VERSION is version tags (starting from 2.2.0+) or develop branches (for example: 2.3-develop).
For more details, please, review the Magento Contributor Assistant documentation.

@milindsingh do you confirm that you was able to reproduce the issue on vanilla Magento instance following steps to reproduce?

  • yes
  • no

@magento-engcom-team magento-engcom-team added the Issue: Format is valid Gate 1 Passed. Automatic verification of issue format passed label Jan 10, 2019
@milindsingh milindsingh mentioned this issue Jan 10, 2019
Merged
4 tasks
@GovindaSharma GovindaSharma self-assigned this Jan 10, 2019
@magento-engcom-team
Copy link
Contributor

magento-engcom-team commented Jan 10, 2019
edited by GovindaSharma
Loading

Hi @GovindaSharma. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

  • 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

    DetailsIf the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

  • 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

  • 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

  • 4. Verify that the issue is reproducible on 2.3-develop branch

    Details- Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
    - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

  • 5. Verify that the issue is reproducible on 2.2-develop branch.

    Details- Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

  • 6. Add label Issue: Confirmed once verification is complete.

  • 7. Make sure that automatic system confirms that report has been added to the backlog.

@GovindaSharma GovindaSharma added Issue: Clear Description Gate 2 Passed. Manual verification of the issue description passed Component: Framework/Api USE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog Service Contracts use just Catalog Reproduced on 2.3.x The issue has been reproduced on latest 2.3 release Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed labels Jan 10, 2019
@magento-engcom-team
Copy link
Contributor

@GovindaSharma Thank you for verifying the issue. Based on the provided information internal tickets MAGETWO-97550 were created

@magento-engcom-team magento-engcom-team added the Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development label Jan 10, 2019
@milindsingh milindsingh added the Reproduced on 2.2.x The issue has been reproduced on latest 2.2 release label Jan 10, 2019
@magento-engcom-team
Copy link
Contributor

Hi @milindsingh. Thank you for your report.
The issue has been fixed in #20170 by @milindsingh in 2.3-develop branch
Related commit(s):

The fix will be available with the upcoming 2.3.1 release.

@magento-engcom-team magento-engcom-team added the Fixed in 2.3.x The issue has been fixed in 2.3 release line label Jan 23, 2019
magento-engcom-team added a commit that referenced this issue Jan 23, 2019
@magento-engcom-team
ENGCOM-3834: Order API resources updated. #20169 #20170
ab281a7 
 - Merge Pull Request #20170 from cedcommerce/magento2:2.3-develop-order-api-resource-update
 - Merged commits:
   1. 4b0eeb6
magento-engcom-team pushed a commit that referenced this issue Jan 23, 2019
@sidolov
ENGCOM-3834: Order API resources updated. #20169 #20170
5306a5b
@irajneeshgupta irajneeshgupta mentioned this issue Jan 23, 2019
Merged
4 tasks
@amol2jcommerce amol2jcommerce mentioned this issue Jan 23, 2019
Merged
4 tasks
amol2jcommerce pushed a commit to amol2jcommerce/magento2 that referenced this issue Jan 23, 2019
Merge pull request #3 from amol2jcommerce/2.2-develop-PR-port-20170
abb6933 
[Backport] Order API resources updated. magento#20169
@sidolov
Copy link
Contributor

sidolov commented Jan 31, 2019

Hi @milindsingh. Thank you for your report.
The issue has been fixed in #20542 by @irajneeshgupta in 2.2-develop branch
Related commit(s):

The fix will be available with the upcoming 2.2.8 release.

@sidolov sidolov added the Fixed in 2.2.x The issue has been fixed in 2.2 release line label Jan 31, 2019
magento-engcom-team added a commit that referenced this issue Jan 31, 2019
@magento-engcom-team
ENGCOM-3999: [Backport] Order API resources updated. #20169 #20542
974c89f 
 - Merge Pull Request #20542 from irajneeshgupta/magento2:2.2-develop-PR-port-20170
 - Merged commits:
   1. d47fe01
magento-engcom-team pushed a commit that referenced this issue Jan 31, 2019
@sidolov
ENGCOM-3999: [Backport] Order API resources updated. #20169 #20542
36f6a8f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GovindaSharma GovindaSharma

Labels
Component: Framework/Api USE ONLY for FRAMEWORK RELATED BUG! E.g If bug related to Catalog Service Contracts use just Catalog Fixed in 2.2.x The issue has been fixed in 2.2 release line Fixed in 2.3.x The issue has been fixed in 2.3 release line Issue: Clear Description Gate 2 Passed. Manual verification of the issue description passed Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Issue: Format is valid Gate 1 Passed. Automatic verification of issue format passed Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development Reproduced on 2.2.x The issue has been reproduced on latest 2.2 release Reproduced on 2.3.x The issue has been reproduced on latest 2.3 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sidolov @milindsingh @GovindaSharma @magento-engcom-team