Merge pull request #10045 from magento-cia/cia-2.4.9-alpha3-develop-bugfix-08252025

Cia 2.4.9 alpha3 develop Bugfix Delivery

Author: mrprabhu92

app/code/Magento/LoginAsCustomer/Model/ResourceModel/DeleteAuthenticationDataForListOfUser.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\LoginAsCustomer\Model\ResourceModel;
+
+use Magento\Framework\App\ResourceConnection;
+use Magento\LoginAsCustomerApi\Api\DeleteAuthenticationDataForListOfUserInterface;
+
+/**
+ * @inheritdoc
+ */
+class DeleteAuthenticationDataForListOfUser implements DeleteAuthenticationDataForListOfUserInterface
+{
+    /**
+     * @var ResourceConnection
+     */
+    private $resourceConnection;
+
+    /**
+     * @param ResourceConnection $resourceConnection
+     */
+    public function __construct(
+        ResourceConnection $resourceConnection
+    ) {
+        $this->resourceConnection = $resourceConnection;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function execute(array $userIds): void
+    {
+        $connection = $this->resourceConnection->getConnection();
+        $tableName = $this->resourceConnection->getTableName('login_as_customer');
+
+        $connection->delete(
+            $tableName,
+            [
+                'admin_id IN (?)' => $userIds
+            ]
+        );
+    }
+}

app/code/Magento/LoginAsCustomer/Model/Validator/UserRolePermission.php

@@ -0,0 +1,112 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+namespace Magento\LoginAsCustomer\Model\Validator;
+
+use Magento\Authorization\Model\Rules;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\User\Model\User as UserModel;
+use Magento\Authorization\Model\Acl\AclRetriever;
+use Magento\LoginAsCustomerApi\Api\ConfigInterface as LoginAsCustomerConfig;
+use Magento\Framework\Acl\RootResource;
+
+/**
+ * User role permission validator
+ */
+class UserRolePermission
+{
+    /**
+     * @var string
+     */
+    private const ACL_RESOURCE = 'Magento_LoginAsCustomer::login';
+
+    /**
+     * @param AclRetriever $aclRetriever
+     * @param LoginAsCustomerConfig $config
+     * @param RootResource $rootResource
+     */
+    public function __construct(
+        private readonly AclRetriever $aclRetriever,
+        private readonly LoginAsCustomerConfig $config,
+        private readonly RootResource $rootResource
+    ) {
+    }
+
+    /**
+     * Validate User role with specific resource
+     *
+     * @param Rules $rule
+     * @return array []
+     */
+    public function validateRoles(Rules $rule): array
+    {
+        $resources = $rule->getResources();
+        $resources = is_array($resources) ? $resources : [];
+
+        if (!in_array(self::ACL_RESOURCE, $resources, true) &&
+            !in_array($this->rootResource->getId(), $resources, true)
+        ) {
+            $adminUsers = $rule->getRoleAssignedUsers();
+            $adminUsers = is_array($adminUsers) ? $adminUsers : [];
+            if (!empty($adminUsers)) {
+                return $adminUsers;
+            }
+        }
+
+        return [];
+    }
+
+    /**
+     * Validate User with specific permission
+     *
+     * @param UserModel $result
+     * @param int|null $oldRoleId
+     * @return bool
+     * @throws LocalizedException
+     */
+    public function validateUser(UserModel $result, ?int $oldRoleId): bool
+    {
+        $newRoleId = (int) $result->getRoleId();
+        return $oldRoleId !== $newRoleId
+            && $this->roleHasResource($newRoleId, self::ACL_RESOURCE);
+    }
+
+    /**
+     * Check if role has specific resource
+     *
+     * @param int $roleId
+     * @param string $resourceId
+     * @return bool
+     * @throws LocalizedException
+     */
+    private function roleHasResource(int $roleId, string $resourceId): bool
+    {
+        if (!$this->config->isEnabled()) {
+            return false;
+        }
+
+        $resources = $this->getRoleResources($roleId);
+        $resourceSet = array_flip($resources);
+
+        return !isset($resourceSet[$resourceId]) && !isset($resourceSet[$this->rootResource->getId()]);
+    }
+
+    /**
+     * Get allowed resources for a role
+     *
+     * @param int $roleId
+     * @return array
+     * @throws LocalizedException
+     */
+    private function getRoleResources(int $roleId): array
+    {
+        try {
+            return $this->aclRetriever->getAllowedResourcesByRole($roleId);
+        } catch (\Exception $e) {
+            throw new LocalizedException(__('An error occurred while saving this user.'));
+        }
+    }
+}

app/code/Magento/LoginAsCustomer/Plugin/Authorization/Model/ResourceModel/RulesPlugin.php

@@ -0,0 +1,70 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\LoginAsCustomer\Plugin\Authorization\Model\ResourceModel;
+
+use Exception;
+use Magento\Authorization\Model\Rules;
+use Magento\Authorization\Model\ResourceModel\Rules as Subject;
+use Magento\LoginAsCustomerApi\Api\DeleteAuthenticationDataForListOfUserInterface;
+use Magento\LoginAsCustomer\Model\Validator\UserRolePermission;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Detect current users resources change
+ *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ */
+class RulesPlugin
+{
+    /**
+     * @param DeleteAuthenticationDataForListOfUserInterface $deleteAuthenticationDataForListOfUser
+     * @param UserRolePermission $validator
+     * @param LoggerInterface $logger
+     */
+    public function __construct(
+        private readonly DeleteAuthenticationDataForListOfUserInterface $deleteAuthenticationDataForListOfUser,
+        private readonly UserRolePermission $validator,
+        private readonly LoggerInterface $logger
+    ) {
+    }
+
+    /**
+     * Terminate 'Login as Customer' sessions when related permissions are revoked.
+     *
+     * @param Subject $subject
+     * @param void $result
+     * @param Rules $rule
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function afterSaveRel(Subject $subject, $result, Rules $rule): void
+    {
+        try {
+            $usersToTerminate = array_merge(
+                $this->validator->validateRoles($rule),
+                $this->ensureArray($rule->getRoleUnassignedUsers())
+            );
+            if ($usersToTerminate) {
+                $this->deleteAuthenticationDataForListOfUser->execute(array_unique($usersToTerminate));
+            }
+        } catch (Exception $e) {
+            $this->logger->error($e->getMessage());
+        }
+    }
+
+    /**
+     * Ensure a value is an array
+     *
+     * @param mixed $value
+     * @return array
+     */
+    private function ensureArray($value): array
+    {
+        return is_array($value) ? $value : [];
+    }
+}

app/code/Magento/LoginAsCustomer/Plugin/User/Model/User.php

@@ -0,0 +1,86 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\LoginAsCustomer\Plugin\User\Model;
+
+use Exception;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\LoginAsCustomerApi\Api\DeleteAuthenticationDataForUserInterface;
+use Magento\User\Api\Data\UserInterface;
+use Magento\User\Model\User as UserModel;
+use Magento\LoginAsCustomer\Model\Validator\UserRolePermission;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Check whether role has been updated of existing user
+ *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ */
+class User
+{
+    /**
+     * @var array
+     */
+    private array $originalRoleIds = [];
+
+    /**
+     * @param DeleteAuthenticationDataForUserInterface $deleteAuthenticationDataForUser
+     * @param UserRolePermission $validator
+     * @param LoggerInterface $logger
+     */
+    public function __construct(
+        private readonly DeleteAuthenticationDataForUserInterface $deleteAuthenticationDataForUser,
+        private readonly UserRolePermission $validator,
+        private readonly LoggerInterface $logger
+    ) {
+    }
+
+    /**
+     * Capture original role ID before save
+     *
+     * @param UserModel $subject
+     * @return void
+     * @throws LocalizedException
+     */
+    public function beforeSave(UserModel $subject)
+    {
+        if ($subject->getId()) {
+            // Get current role IDs before save
+            $currentRoles = $subject->getRoles();
+            $this->originalRoleIds[(int) $subject->getId()] = $currentRoles ? (int) $currentRoles[0] : null;
+        }
+    }
+
+    /**
+     * Terminate 'Login as Customer' sessions when related permissions are revoked.
+     *
+     * @param UserInterface $subject
+     * @param UserModel $result
+     * @return UserModel
+     * @throws LocalizedException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function afterSave(
+        UserInterface $subject,
+        UserModel $result
+    ) {
+        try {
+            if (!$result->getSkipRoleResourceValidation()) {
+                $userId = (int) $result->getId();
+                $oldRoleId = $this->originalRoleIds[$userId] ?? null;
+
+                if ($this->validator->validateUser($result, $oldRoleId)) {
+                    $this->deleteAuthenticationDataForUser->execute($userId);
+                }
+            }
+        } catch (Exception $e) {
+            $this->logger->error($e->getMessage());
+        }
+
+        return $result;
+    }
+}