Magento Release 2.4.4-p11

app/code/Magento/AdminAnalytics/ViewModel/Metadata.php

@@ -9,7 +9,9 @@
 namespace Magento\AdminAnalytics\ViewModel;
 
 use Magento\Config\Model\Config\Backend\Admin\Custom;
+use Magento\Csp\Helper\CspNonceProvider;
 use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\App\ProductMetadataInterface;
 use Magento\Backend\Model\Auth\Session;
 use Magento\Framework\App\State;
@@ -21,6 +23,11 @@
  */
 class Metadata implements ArgumentInterface
 {
+    /**
+     * @var string
+     */
+    private $nonce;
+
     /**
      * @var State
      */
@@ -41,22 +48,33 @@ class Metadata implements ArgumentInterface
      */
     private $config;
 
+    /**
+     * @var CspNonceProvider
+     */
+    private $nonceProvider;
+
     /**
      * @param ProductMetadataInterface $productMetadata
      * @param Session $authSession
      * @param State $appState
      * @param ScopeConfigInterface $config
+     * @param CspNonceProvider|null $nonceProvider
      */
     public function __construct(
         ProductMetadataInterface $productMetadata,
         Session $authSession,
         State $appState,
-        ScopeConfigInterface $config
+        ScopeConfigInterface $config,
+        CspNonceProvider $nonceProvider = null
     ) {
         $this->productMetadata = $productMetadata;
         $this->authSession = $authSession;
         $this->appState = $appState;
         $this->config = $config;
+
+        $this->nonceProvider = $nonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+
+        $this->nonce = $this->nonceProvider->generateNonce();
     }
 
     /**
@@ -156,4 +174,14 @@ public function getCurrentUserRoleName(): string
     {
         return $this->authSession->getUser()->getRole()->getRoleName();
     }
+
+    /**
+     * Get a random nonce for each request.
+     *
+     * @return string
+     */
+    public function getNonce(): string
+    {
+        return $this->nonce;
+    }
 }

app/code/Magento/AdminAnalytics/composer.json

@@ -1,23 +1,25 @@
 {
     "name": "magento/module-admin-analytics",
     "description": "N/A",
+    "type": "magento2-module",
+    "license": [
+        "OSL-3.0",
+        "AFL-3.0"
+    ],
     "config": {
         "sort-packages": true
     },
+    "version": "100.4.4-p9",
     "require": {
         "php": "~7.4.0||~8.1.0",
-        "magento/framework": "*",
-        "magento/module-backend": "*",
-        "magento/module-config": "*",
-        "magento/module-store": "*",
-        "magento/module-ui": "*",
-        "magento/module-release-notification": "*"
+        "magento/framework": "103.0.*",
+        "magento/module-backend": "102.0.*",
+        "magento/module-config": "101.2.*",
+        "magento/module-store": "101.1.*",
+        "magento/module-ui": "101.2.*",
+        "magento/module-release-notification": "100.4.*",
+        "magento/module-csp": "100.4.*"
     },
-    "type": "magento2-module",
-    "license": [
-        "OSL-3.0",
-        "AFL-3.0"
-    ],
     "autoload": {
         "files": [
             "registration.php"
@@ -27,3 +29,4 @@
         }
     }
 }
+

app/code/Magento/AdminAnalytics/view/adminhtml/templates/tracking.phtml

@@ -6,6 +6,7 @@
 
 /**
  * @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
+ * @var \Magento\Framework\Escaper $escaper
  */
 ?>
 
@@ -22,18 +23,25 @@
 <?php
 /** @var \Magento\AdminAnalytics\ViewModel\Metadata $metadata */
 $metadata = $block->getMetadata();
+$nonce = $escaper->escapeJs($metadata->getNonce());
 $scriptString = '
     var adminAnalyticsMetadata = {
-        "secure_base_url": "' . $block->escapeJs($metadata->getSecureBaseUrlForScope()) . '",
-        "version": "' . $block->escapeJs($metadata->getMagentoVersion()) . '",
-        "product_edition": "' . $block->escapeJs($metadata->getProductEdition()) . '",
-        "user": "' . $block->escapeJs($metadata->getCurrentUser()) . '",
-        "mode": "' . $block->escapeJs($metadata->getMode()) . '",
-        "store_name_default": "' . $block->escapeJs($metadata->getStoreNameForScope()) . '",
-        "admin_user_created": "' . $block->escapeJs($metadata->getCurrentUserCreatedDate()) . '",
-        "admin_user_logdate": "' . $block->escapeJs($metadata->getCurrentUserLogDate()) . '",
-        "admin_user_role_name": "' . $block->escapeJs($metadata->getCurrentUserRoleName()) . '"
+        "secure_base_url": "' . $escaper->escapeJs($metadata->getSecureBaseUrlForScope()) . '",
+        "version": "' . $escaper->escapeJs($metadata->getMagentoVersion()) . '",
+        "product_edition": "' . $escaper->escapeJs($metadata->getProductEdition()) . '",
+        "user": "' . $escaper->escapeJs($metadata->getCurrentUser()) . '",
+        "mode": "' . $escaper->escapeJs($metadata->getMode()) . '",
+        "store_name_default": "' . $escaper->escapeJs($metadata->getStoreNameForScope()) . '",
+        "admin_user_created": "' . $escaper->escapeJs($metadata->getCurrentUserCreatedDate()) . '",
+        "admin_user_logdate": "' . $escaper->escapeJs($metadata->getCurrentUserLogDate()) . '",
+        "admin_user_role_name": "' . $escaper->escapeJs($metadata->getCurrentUserRoleName()) . '"
     };
+
+    var digitalData = {
+        "nonce": "' . $nonce . '"
+    };
+
+    var cspNonce = "' . $nonce . '";
 ';
 ?>
 <?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false); ?>

app/code/Magento/AdminNotification/Block/Grid/MassAction/MarkAsReadVisibility.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\AdminNotification\Block\Grid\MassAction;
+
+use Magento\AdminNotification\Controller\Adminhtml\Notification\MarkAsRead;
+use Magento\Backend\Block\Widget\Grid\Massaction\VisibilityCheckerInterface;
+use Magento\Framework\AuthorizationInterface;
+
+/**
+ * Class checks if mark as read action can be displayed on massaction list
+ */
+class MarkAsReadVisibility implements VisibilityCheckerInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * @param AuthorizationInterface $authorizationInterface
+     */
+    public function __construct(AuthorizationInterface $authorizationInterface)
+    {
+        $this->authorization = $authorizationInterface;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isVisible()
+    {
+        return $this->authorization->isAllowed(MarkAsRead::ADMIN_RESOURCE);
+    }
+}

app/code/Magento/AdminNotification/Block/Grid/MassAction/RemoveVisibility.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\AdminNotification\Block\Grid\MassAction;
+
+use Magento\AdminNotification\Controller\Adminhtml\Notification\Remove;
+use Magento\Backend\Block\Widget\Grid\Massaction\VisibilityCheckerInterface;
+use Magento\Framework\AuthorizationInterface;
+
+/**
+ * Class checks if remove action can be displayed on massaction list
+ */
+class RemoveVisibility implements VisibilityCheckerInterface
+{
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * @param AuthorizationInterface $authorizationInterface
+     */
+    public function __construct(AuthorizationInterface $authorizationInterface)
+    {
+        $this->authorization = $authorizationInterface;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isVisible()
+    {
+        return $this->authorization->isAllowed(Remove::ADMIN_RESOURCE);
+    }
+}

app/code/Magento/AdminNotification/Block/Grid/Renderer/Actions.php

@@ -1,15 +1,14 @@
 <?php
-declare(strict_types=1);
-
 /**
- * Adminhtml AdminNotification Severity Renderer
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\AdminNotification\Block\Grid\Renderer;
 
+use Magento\AdminNotification\Controller\Adminhtml\Notification\MarkAsRead;
+use Magento\AdminNotification\Controller\Adminhtml\Notification\Remove;
 use Magento\Backend\Block\Context;
 use Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer;
 use Magento\Framework\App\ActionInterface;
@@ -45,33 +44,41 @@ public function __construct(Context $context, Data $urlHelper, array $data = [])
      */
     public function render(DataObject $row)
     {
-        $readDetailsHtml = $row->getUrl() ? '<a class="action-details" target="_blank" href="' .
+        $readDetailsHtml = $row->getUrl() ?
+            '<a class="action-details" target="_blank" href="' .
             $this->escapeUrl($row->getUrl())
             . '">' .
             __('Read Details') . '</a>' : '';
 
-        $markAsReadHtml = !$row->getIsRead() ? '<a class="action-mark" href="' . $this->getUrl(
-            '*/*/markAsRead/',
-            ['_current' => true, 'id' => $row->getNotificationId()]
-        ) . '">' . __(
-            'Mark as Read'
-        ) . '</a>' : '';
+        $markAsReadHtml = !$row->getIsRead()
+            && $this->_authorization->isAllowed(MarkAsRead::ADMIN_RESOURCE) ?
+            '<a class="action-mark" href="' . $this->escapeUrl($this->getUrl(
+                '*/*/markAsRead/',
+                ['_current' => true, 'id' => $row->getNotificationId()]
+            )) . '">' . __(
+                'Mark as Read'
+            ) . '</a>' : '';
+
+        $removeUrl = $this->getUrl(
+            '*/*/remove/',
+            [
+                '_current' => true,
+                'id' => $row->getNotificationId(),
+                ActionInterface::PARAM_NAME_URL_ENCODED => $this->_urlHelper->getEncodedUrl()
+            ]
+        );
+
+        $removeHtml = $this->_authorization->isAllowed(Remove::ADMIN_RESOURCE) ?
+            '<a class="action-delete" href="'
+            . $this->escapeUrl($removeUrl)
+            .'" onClick="deleteConfirm('. __('\'Are you sure?\'') .', this.href); return false;">'
+            . __('Remove') .  '</a>' : '';
 
-        $encodedUrl = $this->_urlHelper->getEncodedUrl();
         return sprintf(
-            '%s%s<a class="action-delete" href="%s" onClick="deleteConfirm(\'%s\', this.href); return false;">%s</a>',
+            '%s%s%s',
             $readDetailsHtml,
             $markAsReadHtml,
-            $this->getUrl(
-                '*/*/remove/',
-                [
-                    '_current' => true,
-                    'id' => $row->getNotificationId(),
-                    ActionInterface::PARAM_NAME_URL_ENCODED => $encodedUrl
-                ]
-            ),
-            __('Are you sure?'),
-            __('Remove')
+            $removeHtml,
         );
     }
 }

app/code/Magento/AdminNotification/Controller/Adminhtml/Notification/AjaxMarkAsRead.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\AdminNotification\Controller\Adminhtml\Notification;
 
 use Magento\AdminNotification\Controller\Adminhtml\Notification;
@@ -21,6 +23,13 @@ class AjaxMarkAsRead extends Notification implements HttpPostActionInterface
      */
     private $notificationService;
 
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_AdminNotification::mark_as_read';
+
     /**
      * @param Action\Context $context
      * @param NotificationService $notificationService

app/code/Magento/AdminNotification/Test/Unit/Block/Grid/Renderer/ActionsTest.php

@@ -14,6 +14,7 @@
 
 use Magento\AdminNotification\Block\Grid\Renderer\Actions;
 use Magento\Backend\Block\Context;
+use Magento\Framework\AuthorizationInterface;
 use Magento\Framework\DataObject;
 use Magento\Framework\Escaper;
 use Magento\Framework\Url\Helper\Data;
@@ -35,16 +36,23 @@ protected function setUp(): void
 
         /** @var Escaper|MockObject $escaperMock */
         $escaperMock = $this->createMock(Escaper::class);
-        $escaperMock->expects($this->once())->method('escapeUrl')->willReturn('https://magento.com');
+        $escaperMock->expects($this->atLeastOnce())->method('escapeUrl')->willReturn('https://magento.com');
+
+        /** @var AuthorizationInterface|MockObject $authorizationMock */
+        $authorizationMock = $this->getMockForAbstractClass(AuthorizationInterface::class);
+        $authorizationMock->expects($this->atLeastOnce())
+            ->method('isAllowed')
+            ->willReturn(true);
 
         /** @var UrlInterface|MockObject $urlBuilder */
         $urlBuilder = $this->getMockForAbstractClass(UrlInterface::class);
         $urlBuilder->expects($this->once())->method('getUrl')->willReturn('http://magento.com');
 
         /** @var Context|MockObject $contextMock */
         $contextMock = $this->createMock(Context::class);
-        $contextMock->expects($this->once())->method('getEscaper')->willReturn($escaperMock);
+        $contextMock->expects($this->atLeastOnce())->method('getEscaper')->willReturn($escaperMock);
         $contextMock->expects($this->once())->method('getUrlBuilder')->willReturn($urlBuilder);
+        $contextMock->expects($this->once())->method('getAuthorization')->willReturn($authorizationMock);
 
         /** @var Data|MockObject $urlHelperMock */
         $urlHelperMock = $this->createMock(Data::class);
@@ -65,7 +73,7 @@ public function testShouldRenderMessageWhenUrlIsGiven() : void
         // Ignoring Code Style at this point due to the long HEREDOC
         // phpcs:disable
         $expected = <<<HTML
-<a class="action-details" target="_blank" href="https://magento.com">Read Details</a><a class="action-delete" href="http://magento.com" onClick="deleteConfirm('Are you sure?', this.href); return false;">Remove</a>
+<a class="action-details" target="_blank" href="https://magento.com">Read Details</a><a class="action-delete" href="https://magento.com" onClick="deleteConfirm('Are you sure?', this.href); return false;">Remove</a>
 HTML;
         // phpcs:enable