ACP2E-3503: Automatic enabling of new ACL permissions

thiaramus · thiaramus · commit ad71f7a6928a · 2024-12-13T09:56:00.000-06:00
diff --git a/app/code/Magento/Authorization/Model/Acl/Loader/Rule.php b/app/code/Magento/Authorization/Model/Acl/Loader/Rule.php
@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2012 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -87,7 +87,7 @@ public function __construct(
     public function populateAcl(Acl $acl)
     {
         $result = $this->applyPermissionsAccordingToRules($acl);
-        $this->applyDenyPermissionsForMissingRules($acl, ...$result);
+        $this->denyPermissionsForMissingRules($acl, $result);
     }
 
     /**
@@ -98,56 +98,84 @@ public function populateAcl(Acl $acl)
      */
     private function applyPermissionsAccordingToRules(Acl $acl): array
     {
-        $foundResources = $foundDeniedRoles = [];
+        $appliedRolePermissionsPerResource = [];
         foreach ($this->getRulesArray() as $rule) {
             $role = $rule['role_id'];
             $resource = $rule['resource_id'];
             $privileges = !empty($rule['privileges']) ? explode(',', $rule['privileges']) : null;
 
             if ($acl->hasResource($resource)) {
-                $foundResources[$resource] = $resource;
+
+                $appliedRolePermissionsPerResource[$resource]['allow'] =
+                    $appliedRolePermissionsPerResource[$resource]['allow'] ?? [];
+                $appliedRolePermissionsPerResource[$resource]['deny'] =
+                    $appliedRolePermissionsPerResource[$resource]['deny'] ?? [];
+
                 if ($rule['permission'] == 'allow') {
                     if ($resource === $this->_rootResource->getId()) {
                         $acl->allow($role, null, $privileges);
                     }
                     $acl->allow($role, $resource, $privileges);
+                    $appliedRolePermissionsPerResource[$resource]['allow'][] = $role;
                 } elseif ($rule['permission'] == 'deny') {
-                    $foundDeniedRoles[$role] = $role;
                     $acl->deny($role, $resource, $privileges);
+                    $appliedRolePermissionsPerResource[$resource]['deny'][] = $role;
                 }
             }
         }
-        return [$foundResources, $foundDeniedRoles];
+
+        return $appliedRolePermissionsPerResource;
     }
 
     /**
-     * Apply deny permissions for missing rules
+     * Deny permissions for missing rules
      *
      * For all rules that were not regenerated in authorization_rule table,
      * when adding a new module and without re-saving all roles,
      * consider not present rules with deny permissions
      *
      * @param Acl $acl
-     * @param array $resources
-     * @param array $deniedRoles
+     * @param array $appliedRolePermissionsPerResource
      * @return void
      */
-    private function applyDenyPermissionsForMissingRules(
-        Acl $acl,
-        array $resources,
-        array $deniedRoles
+    private function denyPermissionsForMissingRules(
+        Acl   $acl,
+        array $appliedRolePermissionsPerResource,
     ) {
-        if (count($resources) && count($deniedRoles)
-            //ignore denying missing permission if all are allowed
-            && !(count($resources) === 1 && isset($resources[static::ALLOW_EVERYTHING]))
-        ) {
-            foreach ($acl->getResources() as $resource) {
-                if (!isset($resources[$resource])) {
-                    foreach ($deniedRoles as $role) {
-                        $acl->deny($role, $resource, null);
-                    }
+        $consolidatedDeniedRoleIds = array_unique(
+            array_merge(
+                ...array_column($appliedRolePermissionsPerResource, 'deny')
+            )
+        );
+
+        $hasAppliedPermissions = count($appliedRolePermissionsPerResource) > 0;
+        $hasDeniedRoles = count($consolidatedDeniedRoleIds) > 0;
+        $allAllowed = count($appliedRolePermissionsPerResource) === 1
+            && isset($appliedRolePermissionsPerResource[static::ALLOW_EVERYTHING]);
+
+        if ($hasAppliedPermissions && $hasDeniedRoles && !$allAllowed) {
+            // Add the resources that are not present in the rules at all,
+            // assuming that they must be denied for all roles by default
+            $resourcesUndefinedInAuthorizationRules =
+                array_diff($acl->getResources(), array_keys($appliedRolePermissionsPerResource));
+            $assumeDeniedRoleListPerResource =
+                array_fill_keys($resourcesUndefinedInAuthorizationRules, $consolidatedDeniedRoleIds);
+
+            // Add the resources that are permitted for one role and not present in others at all,
+            // assuming that they must be denied for all other roles by default
+            foreach ($appliedRolePermissionsPerResource as $resource => $permissions) {
+                $allowedRoles = $permissions['allow'];
+                $deniedRoles = $permissions['deny'];
+                $assumedDeniedRoles = array_diff($consolidatedDeniedRoleIds, $allowedRoles, $deniedRoles);
+                if ($assumedDeniedRoles) {
+                    $assumeDeniedRoleListPerResource[$resource] = $assumedDeniedRoles;
                 }
             }
+
+            // Deny permissions for missing rules
+            foreach ($assumeDeniedRoleListPerResource as $resource => $denyRoles) {
+                $acl->deny($denyRoles, $resource, null);
+            }
         }
     }
 
