MAGETWO-85040: Magento 2.2.3 Publication

Author: omiroshnichenko

app/code/Magento/Backend/Block/Cache.php

@@ -22,24 +22,29 @@ protected function _construct()
         $this->_headerText = __('Cache Storage Management');
         parent::_construct();
         $this->buttonList->remove('add');
-        $this->buttonList->add(
-            'flush_magento',
-            [
-                'label' => __('Flush Magento Cache'),
-                'onclick' => 'setLocation(\'' . $this->getFlushSystemUrl() . '\')',
-                'class' => 'primary flush-cache-magento'
-            ]
-        );
 
-        $message = __('The cache storage may contain additional data. Are you sure that you want to flush it?');
-        $this->buttonList->add(
-            'flush_system',
-            [
-                'label' => __('Flush Cache Storage'),
-                'onclick' => 'confirmSetLocation(\'' . $message . '\', \'' . $this->getFlushStorageUrl() . '\')',
-                'class' => 'flush-cache-storage'
-            ]
-        );
+        if ($this->_authorization->isAllowed('Magento_Backend::flush_magento_cache')) {
+            $this->buttonList->add(
+                'flush_magento',
+                [
+                    'label' => __('Flush Magento Cache'),
+                    'onclick' => 'setLocation(\'' . $this->getFlushSystemUrl() . '\')',
+                    'class' => 'primary flush-cache-magento'
+                ]
+            );
+        }
+
+        if ($this->_authorization->isAllowed('Magento_Backend::flush_cache_storage')) {
+            $message = __('The cache storage may contain additional data. Are you sure that you want to flush it?');
+            $this->buttonList->add(
+                'flush_system',
+                [
+                    'label' => __('Flush Cache Storage'),
+                    'onclick' => 'confirmSetLocation(\'' . $message . '\', \'' . $this->getFlushStorageUrl() . '\')',
+                    'class' => 'flush-cache-storage'
+                ]
+            );
+        }
     }
 
     /**

app/code/Magento/Backend/Block/Cache/Permissions.php

@@ -0,0 +1,62 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Backend\Block\Cache;
+
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\View\Element\Block\ArgumentInterface;
+
+/**
+ * Class Permissions
+ */
+class Permissions implements ArgumentInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * Permissions constructor.
+     *
+     * @param AuthorizationInterface $authorization
+     */
+    public function __construct(AuthorizationInterface $authorization)
+    {
+        $this->authorization = $authorization;
+    }
+
+    /**
+     * @return bool
+     */
+    public function hasAccessToFlushCatalogImages()
+    {
+        return $this->authorization->isAllowed('Magento_Backend::flush_catalog_images');
+    }
+    /**
+     * @return bool
+     */
+    public function hasAccessToFlushJsCss()
+    {
+        return $this->authorization->isAllowed('Magento_Backend::flush_js_css');
+    }
+    /**
+     * @return bool
+     */
+    public function hasAccessToFlushStaticFiles()
+    {
+        return $this->authorization->isAllowed('Magento_Backend::flush_static_files');
+    }
+    /**
+     * @return bool
+     */
+    public function hasAccessToAdditionalActions()
+    {
+        return ($this->hasAccessToFlushCatalogImages()
+                || $this->hasAccessToFlushJsCss()
+                || $this->hasAccessToFlushStaticFiles());
+    }
+}

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Date.php

@@ -127,7 +127,7 @@ public function getHtml()
 
     /**
      * @param string|null $index
-     * @return string
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -138,6 +138,11 @@ public function getEscapedValue($index = null)
                 $this->_localeDate->getDateFormat(\IntlDateFormatter::SHORT)
             );
         }
+
+        if (is_string($value)) {
+            return $this->escapeHtml($value);
+        }
+
         return $value;
     }
 

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Datetime.php

@@ -140,8 +140,8 @@ public function getHtml()
     /**
      * Return escaped value for calendar
      *
-     * @param string $index
-     * @return string
+     * @param string|null $index
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -150,6 +150,11 @@ public function getEscapedValue($index = null)
             if ($value instanceof \DateTimeInterface) {
                 return $this->_localeDate->formatDateTime($value);
             }
+
+            if (is_string($value)) {
+                return $this->escapeHtml($value);
+            }
+            
             return $value;
         }
 

app/code/Magento/Backend/Block/Widget/Grid/Massaction.php

@@ -3,8 +3,15 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
 namespace Magento\Backend\Block\Widget\Grid;
 
+use Magento\Backend\Block\Template\Context;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\DataObject;
+use Magento\Framework\Json\EncoderInterface;
+
 /**
  * Grid widget massaction default block
  *
@@ -14,4 +21,72 @@
  */
 class Massaction extends \Magento\Backend\Block\Widget\Grid\Massaction\AbstractMassaction
 {
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * Map bind item id to a particular acl type
+     * itemId => acl
+     *
+     * @var array
+     */
+    private $restrictions = [
+        'enable'  => 'Magento_Backend::toggling_cache_type',
+        'disable' => 'Magento_Backend::toggling_cache_type',
+        'refresh' => 'Magento_Backend::refresh_cache_type',
+    ];
+
+    /**
+     * Massaction constructor.
+     *
+     * @param Context $context
+     * @param EncoderInterface $jsonEncoder
+     * @param array $data
+     * @param AuthorizationInterface $authorization
+     */
+    public function __construct(
+        Context $context,
+        EncoderInterface $jsonEncoder,
+        array $data = [],
+        AuthorizationInterface $authorization = null
+    ) {
+        $this->authorization = $authorization ?: ObjectManager::getInstance()->get(AuthorizationInterface::class);
+
+        parent::__construct($context, $jsonEncoder, $data);
+    }
+
+    /**
+     * {@inheritdoc}
+     *
+     * @param string $itemId
+     * @param array|DataObject $item
+     *
+     * @return $this
+     */
+    public function addItem($itemId, $item)
+    {
+        if (!$this->isRestricted($itemId)) {
+            parent::addItem($itemId, $item);
+        }
+
+        return $this;
+    }
+
+    /**
+     * Check if access to action restricted
+     *
+     * @param string $itemId
+     *
+     * @return bool
+     */
+    private function isRestricted(string $itemId): bool
+    {
+        if (!key_exists($itemId, $this->restrictions)) {
+            return false;
+        }
+
+        return !$this->authorization->isAllowed($this->restrictions[$itemId]);
+    }
 }

app/code/Magento/Backend/Controller/Adminhtml/Cache/CleanImages.php

@@ -11,6 +11,13 @@
 
 class CleanImages extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::flush_catalog_images';
+
     /**
      * Clean JS/css files cache
      *

app/code/Magento/Backend/Controller/Adminhtml/Cache/CleanMedia.php

@@ -11,6 +11,13 @@
 
 class CleanMedia extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::flush_js_css';
+
     /**
      * Clean JS/css files cache
      *

app/code/Magento/Backend/Controller/Adminhtml/Cache/CleanStaticFiles.php

@@ -10,6 +10,13 @@
 
 class CleanStaticFiles extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::flush_static_files';
+
     /**
      * Clean static files cache
      *

app/code/Magento/Backend/Controller/Adminhtml/Cache/FlushAll.php

@@ -8,6 +8,13 @@
 
 class FlushAll extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::flush_cache_storage';
+
     /**
      * Flush cache storage
      *

app/code/Magento/Backend/Controller/Adminhtml/Cache/FlushSystem.php

@@ -8,6 +8,13 @@
 
 class FlushSystem extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::flush_magento_cache';
+
     /**
      * Flush all magento cache
      *

app/code/Magento/Backend/Controller/Adminhtml/Cache/MassDisable.php

@@ -16,6 +16,13 @@
  */
 class MassDisable extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::toggling_cache_type';
+
     /**
      * @var State
      */

app/code/Magento/Backend/Controller/Adminhtml/Cache/MassEnable.php

@@ -16,6 +16,13 @@
  */
 class MassEnable extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::toggling_cache_type';
+
     /**
      * @var State
      */

app/code/Magento/Backend/Controller/Adminhtml/Cache/MassRefresh.php

@@ -11,6 +11,13 @@
 
 class MassRefresh extends \Magento\Backend\Controller\Adminhtml\Cache
 {
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_RESOURCE = 'Magento_Backend::refresh_cache_type';
+
     /**
      * Mass action for cache refresh
      *