ACP2E-4114: Production ACL Permission Check caused Performance Degradation – populateAcl Method is the bottleneck

abukatar · abukatar · commit 692c8699a0da · 2025-08-29T13:54:18.000-07:00
diff --git a/app/code/Magento/Authorization/Model/Acl/AclRetriever.php b/app/code/Magento/Authorization/Model/Acl/AclRetriever.php
@@ -10,6 +10,7 @@
 use Magento\Authorization\Model\ResourceModel\Rules\CollectionFactory as RulesCollectionFactory;
 use Magento\Authorization\Model\Role;
 use Magento\Authorization\Model\UserContextInterface;
+use Magento\Framework\Acl\Role\CurrentRoleContext;
 use Magento\Framework\Acl\Builder as AclBuilder;
 use Magento\Framework\Exception\AuthorizationException;
 use Magento\Framework\Exception\LocalizedException;
@@ -44,24 +45,33 @@ class AclRetriever
      */
     protected $roleCollectionFactory;
 
+    /**
+     * @var CurrentRoleContext
+     */
+    private $currentRoleContext;
+
     /**
      * Initialize dependencies.
      *
      * @param AclBuilder $aclBuilder
      * @param RoleCollectionFactory $roleCollectionFactory
      * @param RulesCollectionFactory $rulesCollectionFactory
      * @param Logger $logger
+     * @param ?CurrentRoleContext $currentRoleContext
      */
     public function __construct(
         AclBuilder $aclBuilder,
         RoleCollectionFactory $roleCollectionFactory,
         RulesCollectionFactory $rulesCollectionFactory,
-        Logger $logger
+        Logger $logger,
+        ?CurrentRoleContext $currentRoleContext = null
     ) {
         $this->logger = $logger;
         $this->rulesCollectionFactory = $rulesCollectionFactory;
         $this->aclBuilder = $aclBuilder;
         $this->roleCollectionFactory = $roleCollectionFactory;
+        $this->currentRoleContext = $currentRoleContext ?: \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(CurrentRoleContext::class);
     }
 
     /**
@@ -110,17 +120,26 @@ public function getAllowedResourcesByUser($userType, $userId)
      */
     public function getAllowedResourcesByRole($roleId)
     {
-        $allowedResources = [];
-        $rulesCollection = $this->rulesCollectionFactory->create();
-        $rulesCollection->getByRoles($roleId)->load();
-        $acl = $this->aclBuilder->getAcl();
-        /** @var \Magento\Authorization\Model\Rules $ruleItem */
-        foreach ($rulesCollection->getItems() as $ruleItem) {
-            $resourceId = $ruleItem->getResourceId();
-            if ($acl->hasResource($resourceId) && $acl->isAllowed($roleId, $resourceId)) {
-                $allowedResources[] = $resourceId;
+        try {
+            $allowedResources = [];
+            $rulesCollection = $this->rulesCollectionFactory->create();
+            $rulesCollection->getByRoles($roleId)->load();
+            if ($roleId && (int) $roleId !== $this->currentRoleContext->getRoleId()) {
+                $this->aclBuilder->resetRuntimeAcl();
+            }
+            $this->currentRoleContext->setRoleId((int) $roleId);
+            $acl = $this->aclBuilder->getAcl();
+            /** @var \Magento\Authorization\Model\Rules $ruleItem */
+            foreach ($rulesCollection->getItems() as $ruleItem) {
+                $resourceId = $ruleItem->getResourceId();
+                if ($acl->hasResource($resourceId) && $acl->isAllowed($roleId, $resourceId)) {
+                    $allowedResources[] = $resourceId;
+                }
             }
+        } finally {
+            $this->currentRoleContext->_resetState();
         }
+
         return $allowedResources;
     }
 
diff --git a/app/code/Magento/Authorization/Model/Acl/Loader/Rule.php b/app/code/Magento/Authorization/Model/Acl/Loader/Rule.php
@@ -11,6 +11,7 @@
 use Magento\Framework\Acl\Data\CacheInterface;
 use Magento\Framework\Acl\LoaderInterface;
 use Magento\Framework\Acl\RootResource;
+use Magento\Framework\Acl\Role\CurrentRoleContext;
 use Magento\Framework\App\ResourceConnection;
 use Magento\Framework\Serialize\Serializer\Json;
 
@@ -54,28 +55,38 @@ class Rule implements LoaderInterface
      */
     private $cacheKey;
 
+    /**
+     * @var CurrentRoleContext
+     */
+    private $roleContext;
+
     /**
      * @param RootResource $rootResource
      * @param ResourceConnection $resource
      * @param CacheInterface $aclDataCache
      * @param Json $serializer
      * @param array $data
      * @param string $cacheKey
+     * @param CurrentRoleContext|null $roleContext
      * @SuppressWarnings(PHPMD.UnusedFormalParameter):
      */
     public function __construct(
-        RootResource $rootResource,
-        ResourceConnection $resource,
-        CacheInterface $aclDataCache,
-        Json $serializer,
-        array $data = [],
-        $cacheKey = self::ACL_RULE_CACHE_KEY
+        RootResource        $rootResource,
+        ResourceConnection  $resource,
+        CacheInterface      $aclDataCache,
+        Json                $serializer,
+        array               $data = [],
+        string              $cacheKey = self::ACL_RULE_CACHE_KEY,
+        ?CurrentRoleContext $roleContext = null
     ) {
         $this->_rootResource = $rootResource;
         $this->_resource = $resource;
         $this->aclDataCache = $aclDataCache;
         $this->serializer = $serializer;
         $this->cacheKey = $cacheKey;
+
+        $this->roleContext = $roleContext ?? \Magento\Framework\App\ObjectManager::getInstance()
+            ->get(CurrentRoleContext::class);
     }
 
     /**
@@ -86,10 +97,31 @@ public function __construct(
      */
     public function populateAcl(Acl $acl)
     {
-        $result = $this->applyPermissionsAccordingToRules($acl);
+        $roleId = $this->roleContext->getRoleId();
+        $result = ($roleId)
+            ? $this->applyPermissionsForRole($acl, (int)$roleId)
+            : $this->applyPermissionsAccordingToRules($acl);
         $this->denyPermissionsForMissingRules($acl, $result);
     }
 
+    /**
+     * Apply permissions for a specific role
+     *
+     * @param Acl $acl
+     * @param int $roleId
+     * @return array
+     */
+    private function applyPermissionsForRole(Acl $acl, int $roleId): array
+    {
+        $appliedRolePermissionsPerResource = [];
+        foreach ($this->getRulesArrayForRole($roleId) as $rule) {
+            $appliedRolePermissionsPerResource =
+                $this->getAppliedRolePermissionsPerResource($rule, $acl, $appliedRolePermissionsPerResource);
+        }
+
+        return $appliedRolePermissionsPerResource;
+    }
+
     /**
      * Apply ACL with rules
      *
@@ -100,28 +132,8 @@ private function applyPermissionsAccordingToRules(Acl $acl): array
     {
         $appliedRolePermissionsPerResource = [];
         foreach ($this->getRulesArray() as $rule) {
-            $role = $rule['role_id'];
-            $resource = $rule['resource_id'];
-            $privileges = !empty($rule['privileges']) ? explode(',', $rule['privileges']) : null;
-
-            if ($acl->hasResource($resource)) {
-
-                $appliedRolePermissionsPerResource[$resource]['allow'] =
-                    $appliedRolePermissionsPerResource[$resource]['allow'] ?? [];
-                $appliedRolePermissionsPerResource[$resource]['deny'] =
-                    $appliedRolePermissionsPerResource[$resource]['deny'] ?? [];
-
-                if ($rule['permission'] == 'allow') {
-                    if ($resource === $this->_rootResource->getId()) {
-                        $acl->allow($role, null, $privileges);
-                    }
-                    $acl->allow($role, $resource, $privileges);
-                    $appliedRolePermissionsPerResource[$resource]['allow'][] = $role;
-                } elseif ($rule['permission'] == 'deny') {
-                    $acl->deny($role, $resource, $privileges);
-                    $appliedRolePermissionsPerResource[$resource]['deny'][] = $role;
-                }
-            }
+            $appliedRolePermissionsPerResource =
+                $this->getAppliedRolePermissionsPerResource($rule, $acl, $appliedRolePermissionsPerResource);
         }
 
         return $appliedRolePermissionsPerResource;
@@ -202,4 +214,95 @@ private function getRulesArray()
 
         return $rulesArr;
     }
+
+    /**
+     * Get application ACL rules array for a specific role.
+     *
+     * @param int $roleId
+     * @return array
+     */
+    private function getRulesArrayForRole(int $roleId): array
+    {
+        $groupRoleId = $this->resolveGroupRoleId($roleId);
+        $cacheKey = self::ACL_RULE_CACHE_KEY . '_' . $groupRoleId;
+        $rulesCachedData = $this->aclDataCache->load($cacheKey);
+        if ($rulesCachedData) {
+            return $this->serializer->unserialize($rulesCachedData);
+        }
+
+        $ruleTable = $this->_resource->getTableName('authorization_rule');
+        $connection = $this->_resource->getConnection();
+        $select = $connection->select()
+            ->from(['r' => $ruleTable])
+            ->where('role_id = ?', $groupRoleId)
+            ->order('rule_id ASC');
+
+        $rulesArr = $connection->fetchAll($select);
+
+        $this->aclDataCache->save($this->serializer->serialize($rulesArr), $cacheKey);
+
+        return $rulesArr;
+    }
+
+    /**
+     * Resolve the group role id for a given role id
+     *
+     * @param int $roleId
+     * @return int
+     */
+    private function resolveGroupRoleId(int $roleId): int
+    {
+        $roleTable = $this->_resource->getTableName('authorization_role');
+        $connection = $this->_resource->getConnection();
+        $select = $connection->select()
+            ->from($roleTable, ['role_type', 'parent_id'])
+            ->where('role_id = ?', $roleId)
+            ->limit(1);
+
+        $row = $connection->fetchRow($select);
+        if (is_array($row) && isset($row['role_type']) && $row['role_type'] === 'U'
+            && (int)($row['parent_id'] ?? 0) > 0
+        ) {
+            return (int)$row['parent_id'];
+        }
+        return $roleId;
+    }
+
+    /**
+     * Apply rule to ACL and return applied permissions per resource
+     *
+     * @param array $rule
+     * @param Acl $acl
+     * @param array $appliedRolePermissionsPerResource
+     * @return array
+     */
+    private function getAppliedRolePermissionsPerResource(
+        array $rule,
+        Acl $acl,
+        array $appliedRolePermissionsPerResource
+    ): array {
+        $role = $rule['role_id'];
+        $resource = $rule['resource_id'];
+        $privileges = !empty($rule['privileges']) ? explode(',', $rule['privileges']) : null;
+
+        if ($acl->hasResource($resource)) {
+
+            $appliedRolePermissionsPerResource[$resource]['allow'] =
+                $appliedRolePermissionsPerResource[$resource]['allow'] ?? [];
+            $appliedRolePermissionsPerResource[$resource]['deny'] =
+                $appliedRolePermissionsPerResource[$resource]['deny'] ?? [];
+
+            if ($rule['permission'] == 'allow') {
+                if ($resource === $this->_rootResource->getId()) {
+                    $acl->allow($role, null, $privileges);
+                }
+                $acl->allow($role, $resource, $privileges);
+                $appliedRolePermissionsPerResource[$resource]['allow'][] = $role;
+            } elseif ($rule['permission'] == 'deny') {
+                $acl->deny($role, $resource, $privileges);
+                $appliedRolePermissionsPerResource[$resource]['deny'][] = $role;
+            }
+        }
+        return $appliedRolePermissionsPerResource;
+    }
 }
diff --git a/lib/internal/Magento/Framework/Acl/Role/CurrentRoleContext.php b/lib/internal/Magento/Framework/Acl/Role/CurrentRoleContext.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Acl\Role;
+
+use Magento\Framework\ObjectManager\ResetAfterRequestInterface;
+
+/**
+ * Holds the current role id during ACL building within a single request.
+ */
+class CurrentRoleContext implements ResetAfterRequestInterface
+{
+    /**
+     * @var int|null
+     */
+    private $roleId = null;
+
+    /**
+     * Set the current role ID.
+     *
+     * @param int|null $roleId
+     * @return void
+     */
+    public function setRoleId(int|null $roleId): void
+    {
+        $this->roleId = $roleId;
+    }
+
+    /**
+     * Get the current role ID.
+     *
+     * @return int|null
+     */
+    public function getRoleId(): int|null
+    {
+        return $this->roleId;
+    }
+
+    /**
+     * Reset the state after a request.
+     *
+     * @return void
+     */
+    public function _resetState(): void
+    {
+        $this->roleId = null;
+    }
+}
diff --git a/lib/internal/Magento/Framework/Authorization/Policy/Acl.php b/lib/internal/Magento/Framework/Authorization/Policy/Acl.php
