ENGCOM-6433: Resolve Admin panel is not accessible after limited permissions set to at least one admin account issue25881 #25909

Author: VladimirZaets

app/code/Magento/Backend/Controller/Adminhtml/Denied/Index.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ *
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Backend\Controller\Adminhtml\Denied;
+
+use Magento\Backend\Controller\Adminhtml\Denied;
+use Magento\Framework\App\Action\HttpGetActionInterface as HttpGet;
+use Magento\Framework\App\Action\HttpPostActionInterface as HttpPost;
+
+/**
+ * Denied Action
+ */
+class Index extends Denied implements HttpGet, HttpPost
+{
+    /**
+     * Check if user has permissions to access this controller
+     *
+     * @return bool
+     */
+    protected function _isAllowed()
+    {
+        return true;
+    }
+}

app/code/Magento/Backend/Model/Url.php

@@ -349,7 +349,7 @@ public function findFirstAvailableMenu()
             if ($user) {
                 $user->setHasAvailableResources(false);
             }
-            $action = '*/*/denied';
+            $action = '*/denied';
         }
         return $action;
     }

app/code/Magento/Backend/Test/Mftf/Test/AdminLoginWithRestrictPermissionTest.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="AdminLoginWithRestrictPermissionTest">
+        <annotations>
+            <features value="Backend"/>
+            <title value="Login with restrict role."/>
+            <stories value="Login on the Admin Login page" />
+            <testCaseId value="MC-29321" />
+            <severity value="MAJOR" />
+            <description value="Check login with restrict role."/>
+            <group value="login"/>
+        </annotations>
+
+        <before>
+            <actionGroup ref="LoginAsAdmin" stepKey="logIn"/>
+            <!--Create user role-->
+            <actionGroup ref="AdminFillUserRoleRequiredDataActionGroup" stepKey="fillUserRoleRequiredData">
+                <argument name="User" value="adminRole"/>
+                <argument name="restrictedRole" value="Media Gallery"/>
+            </actionGroup>
+            <actionGroup ref="AdminUserClickRoleResourceTabActionGroup" stepKey="switchToRoleResourceTab"/>
+            <actionGroup ref="AdminAddRestrictedRoleActionGroup" stepKey="addRestrictedRoleStores">
+                <argument name="User" value="adminRole"/>
+                <argument name="restrictedRole" value="Media Gallery"/>
+            </actionGroup>
+            <actionGroup ref="AdminUserSaveRoleActionGroup" stepKey="saveRole"/>
+            <!--Create user and assign role to it-->
+            <actionGroup ref="AdminCreateUserActionGroup" stepKey="createAdminUser">
+                <argument name="role" value="adminRole"/>
+                <argument name="User" value="admin2"/>
+            </actionGroup>
+        </before>
+        <after>
+            <actionGroup ref="logout" stepKey="logoutAsSaleRoleUser"/>
+            <actionGroup ref="LoginAsAdmin" stepKey="loginAsAdmin"/>
+            <!--Delete created data-->
+            <actionGroup ref="AdminUserOpenAdminRolesPageActionGroup" stepKey="navigateToUserRoleGrid"/>
+            <actionGroup ref="AdminDeleteRoleActionGroup" stepKey="deleteUserRole">
+                <argument name="role" value="adminRole"/>
+            </actionGroup>
+            <actionGroup ref="AdminOpenAdminUsersPageActionGroup" stepKey="goToAllUsersPage"/>
+            <actionGroup ref="AdminDeleteNewUserActionGroup" stepKey="deleteUser">
+                <argument name="userName" value="{{admin2.username}}"/>
+            </actionGroup>
+        </after>
+        <!--Log out of admin and login with newly created user-->
+        <actionGroup ref="logout" stepKey="logoutOfAdmin"/>
+        <actionGroup ref="LoginAsAdmin" stepKey="loginAsNewUser">
+            <argument name="adminUser" value="admin2"/>
+        </actionGroup>
+        <actionGroup ref="AssertUserRoleRestrictedAccessActionGroup" stepKey="assertRestrictPage"/>
+    </test>
+</tests>

app/code/Magento/Backend/Test/Unit/Model/UrlTest.php

@@ -190,7 +190,7 @@ public function testFindFirstAvailableMenuDenied()
 
         $this->_menuMock->expects($this->any())->method('getFirstAvailableChild')->will($this->returnValue(null));
 
-        $this->assertEquals('*/*/denied', $this->_model->findFirstAvailableMenu());
+        $this->assertEquals('*/denied', $this->_model->findFirstAvailableMenu());
     }
 
     public function testFindFirstAvailableMenu()

app/code/Magento/User/Test/Mftf/ActionGroup/AdminUserClickRoleResourceTabActionGroup.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminUserClickRoleResourceTabActionGroup">
+        <annotations>
+            <description>Switch to role resource tab.</description>
+        </annotations>
+        <click selector="{{AdminEditRoleInfoSection.roleResourcesTab}}" stepKey="clickRoleResourcesTab" />
+    </actionGroup>
+</actionGroups>

app/code/Magento/User/Test/Mftf/ActionGroup/AdminUserOpenAdminRolesPageActionGroup.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminUserOpenAdminRolesPageActionGroup">
+        <annotations>
+            <description>Navigate to User Role Grid</description>
+        </annotations>
+        <amOnPage url="{{AdminRolesPage.url}}" stepKey="navigateToUserRoleGrid" />
+        <waitForPageLoad stepKey="waitForRolesGridLoad" />
+    </actionGroup>
+</actionGroups>

app/code/Magento/User/Test/Mftf/ActionGroup/AdminUserSaveRoleActionGroup.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminUserSaveRoleActionGroup">
+        <annotations>
+            <description>Click to Save Role</description>
+        </annotations>
+        <click selector="{{AdminEditRoleInfoSection.saveButton}}" stepKey="clickSaveRoleButton" />
+        <see userInput="You saved the role." stepKey="seeUserRoleSavedMessage"/>
+    </actionGroup>
+</actionGroups>