Update as of 8/15/2012

* Refactored ACL functionality:
  * Implementation is not bound to backend area anymore and moved to `Mage_Core` module
  * Covered backwards-incompatible changes with additional migration tool (`dev/tools/migration/Acl`)
* Implemented "move" layout directive and slightly modified behavior of "remove"
* A failure in DB cleanup by integration testing framework is articulated more clearly by throwing `Magento_Exception`
* Fixed security vulnerability of exploiting Magento "cookie restriction" feature
* Fixed caching mechanism of loading modules declaration to not cause additional performance overhead
* Adjusted include path in unit tests to use the original include path at the end, rather than at the beginning

CHANGELOG.markdown

@@ -1,3 +1,14 @@
+Update as of 8/15/2012
+======================
+* Refactored ACL functionality:
+  * Implementation is not bound to backend area anymore and moved to `Mage_Core` module
+  * Covered backwards-incompatible changes with additional migration tool (`dev/tools/migration/Acl`)
+* Implemented "move" layout directive and slightly modified behavior of "remove"
+* A failure in DB cleanup by integration testing framework is articulated more clearly by throwing `Magento_Exception`
+* Fixed security vulnerability of exploiting Magento "cookie restriction" feature
+* Fixed caching mechanism of loading modules declaration to not cause additional performance overhead
+* Adjusted include path in unit tests to use the original include path at the end, rather than at the beginning
+
 Update as of 8/9/2012
 =====================
 * Improvements:

app/code/core/Mage/Adminhtml/Block/Cache/Notifications.php

@@ -58,7 +58,7 @@ public function getManageUrl()
      */
     protected function _toHtml()
     {
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Adminhtml::cache')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Adminhtml::cache')) {
             return parent::_toHtml();
         }
         return '';

app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Attributes.php

@@ -99,7 +99,7 @@ protected function _prepareForm()
 
             // Add new attribute button if it is not an image tab
             if (!$form->getElement('media_gallery')
-                && Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Catalog::attributes_attributes')
+                && Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Catalog::attributes_attributes')
             ) {
                 $headerBar = $this->getLayout()->createBlock('Mage_Adminhtml_Block_Catalog_Product_Edit_Tab_Attributes_Create');
 

app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tabs.php

@@ -146,7 +146,7 @@ protected function _prepareLayout()
 
             if( $this->getRequest()->getParam('id', false) ) {
                 if (Mage::helper('Mage_Catalog_Helper_Data')->isModuleEnabled('Mage_Review')) {
-                    if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Review::reviews_ratings')){
+                    if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Review::reviews_ratings')){
                         $this->addTab('reviews', array(
                             'label' => Mage::helper('Mage_Catalog_Helper_Data')->__('Product Reviews'),
                             'url'   => $this->getUrl('*/*/reviews', array('_current' => true)),
@@ -155,7 +155,7 @@ protected function _prepareLayout()
                     }
                 }
                 if (Mage::helper('Mage_Catalog_Helper_Data')->isModuleEnabled('Mage_Tag')) {
-                    if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Tag::tag')){
+                    if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Tag::tag')){
                         $this->addTab('tags', array(
                          'label'     => Mage::helper('Mage_Catalog_Helper_Data')->__('Product Tags'),
                          'url'   => $this->getUrl('*/*/tagGrid', array('_current' => true)),

app/code/core/Mage/Adminhtml/Block/Catalog/Product/Grid.php

@@ -301,7 +301,7 @@ protected function _prepareMassaction()
              )
         ));
 
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Catalog::update_attributes')){
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Catalog::update_attributes')){
             $this->getMassactionBlock()->addItem('attributes', array(
                 'label' => Mage::helper('Mage_Catalog_Helper_Data')->__('Update Attributes'),
                 'url'   => $this->getUrl('*/catalog_product_action_attribute/edit', array('_current'=>true))

app/code/core/Mage/Adminhtml/Block/Cms/Page.php

@@ -61,7 +61,7 @@ public function __construct()
      */
     protected function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 
 }

app/code/core/Mage/Adminhtml/Block/Cms/Page/Edit.php

@@ -86,7 +86,7 @@ public function getHeaderText()
      */
     protected function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 
     /**

app/code/core/Mage/Adminhtml/Block/Cms/Page/Edit/Tab/Content.php

@@ -148,6 +148,6 @@ public function isHidden()
      */
     protected function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 }

app/code/core/Mage/Adminhtml/Block/Cms/Page/Edit/Tab/Design.php

@@ -181,6 +181,6 @@ public function isHidden()
      */
     protected function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 }

app/code/core/Mage/Adminhtml/Block/Cms/Page/Edit/Tab/Main.php

@@ -172,6 +172,6 @@ public function isHidden()
      */
     protected function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 }

app/code/core/Mage/Adminhtml/Block/Cms/Page/Edit/Tab/Meta.php

@@ -130,6 +130,6 @@ public function isHidden()
      */
     protected function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 }

app/code/core/Mage/Adminhtml/Block/Customer/Edit.php

@@ -39,7 +39,7 @@ public function __construct()
         $this->_controller = 'customer';
 
         if ($this->getCustomerId() &&
-            Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::create')) {
+            Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::create')) {
             $this->_addButton('order', array(
                 'label' => Mage::helper('Mage_Customer_Helper_Data')->__('Create Order'),
                 'onclick' => 'setLocation(\'' . $this->getCreateOrderUrl() . '\')',

app/code/core/Mage/Adminhtml/Block/Customer/Edit/Tabs.php

@@ -44,15 +44,17 @@ public function __construct()
 
     protected function _beforeToHtml()
     {
-/*
-        if (Mage::registry('current_customer')->getId()) {
-            $this->addTab('view', array(
-                'label'     => Mage::helper('Mage_Customer_Helper_Data')->__('Customer View'),
-                'content'   => $this->getLayout()->createBlock('Mage_Adminhtml_Block_Customer_Edit_Tab_View')->toHtml(),
-                'active'    => true
-            ));
-        }
-*/
+        Magento_Profiler::start('customer/tabs');
+
+        /*
+                if (Mage::registry('current_customer')->getId()) {
+                    $this->addTab('view', array(
+                        'label'     => Mage::helper('Mage_Customer_Helper_Data')->__('Customer View'),
+                        'content'   => $this->getLayout()->createBlock('Mage_Adminhtml_Block_Customer_Edit_Tab_View')->toHtml(),
+                        'active'    => true
+                    ));
+                }
+        */
         $this->addTab('account', array(
             'label'     => Mage::helper('Mage_Customer_Helper_Data')->__('Account Information'),
             'content'   => $this->getLayout()
@@ -71,7 +73,7 @@ protected function _beforeToHtml()
 
         if (Mage::registry('current_customer')->getId()) {
 
-            if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::actions_view')) {
+            if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::actions_view')) {
                 $this->addTab('orders', array(
                     'label'     => Mage::helper('Mage_Customer_Helper_Data')->__('Orders'),
                     'class'     => 'ajax',
@@ -91,23 +93,23 @@ protected function _beforeToHtml()
                 'url'       => $this->getUrl('*/*/wishlist', array('_current' => true)),
             ));
 
-            if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Newsletter::subscriber')) {
+            if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Newsletter::subscriber')) {
                 $this->addTab('newsletter', array(
                     'label'     => Mage::helper('Mage_Customer_Helper_Data')->__('Newsletter'),
                     'content'   => $this->getLayout()
                         ->createBlock('Mage_Adminhtml_Block_Customer_Edit_Tab_Newsletter')->initForm()->toHtml()
                 ));
             }
 
-            if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Review::reviews_ratings')) {
+            if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Review::reviews_ratings')) {
                 $this->addTab('reviews', array(
                     'label'     => Mage::helper('Mage_Customer_Helper_Data')->__('Product Reviews'),
                     'class'     => 'ajax',
                     'url'       => $this->getUrl('*/*/productReviews', array('_current' => true)),
                 ));
             }
 
-            if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Tag::tag')) {
+            if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Tag::tag')) {
                 $this->addTab('tags', array(
                     'label'     => Mage::helper('Mage_Customer_Helper_Data')->__('Product Tags'),
                     'class'     => 'ajax',

app/code/core/Mage/Adminhtml/Block/Customer/Online/Grid.php

@@ -160,7 +160,7 @@ protected function _prepareColumns()
      */
     public function getRowUrl($row)
     {
-        return (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Customer::manage') && $row->getCustomerId())
+        return (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Customer::manage') && $row->getCustomerId())
             ? $this->getUrl('*/customer/edit', array('id' => $row->getCustomerId())) : '';
     }
 }

app/code/core/Mage/Adminhtml/Block/Notification/Survey.php

@@ -43,7 +43,8 @@ public function canShow()
         $adminSession = Mage::getSingleton('Mage_Backend_Model_Auth_Session');
         $seconds = intval(date('s', time()));
         if ($adminSession->getHideSurveyQuestion()
-            || !$adminSession->isAllowed(Mage_Backend_Model_Acl_Config::ACL_RESOURCE_ALL)
+            || !Mage::getSingleton('Mage_Core_Model_Authorization')
+                ->isAllowed(Mage_Backend_Model_Acl_Config::ACL_RESOURCE_ALL)
             || Mage_AdminNotification_Model_Survey::isSurveyViewed()
             || !Mage_AdminNotification_Model_Survey::isSurveyUrlValid())
         {

app/code/core/Mage/Adminhtml/Block/Notification/Window.php

@@ -105,11 +105,6 @@ public function canShow()
             return false;
         }
 
-        if (!$this->_isAllowed()) {
-            $this->_available = false;
-            return false;
-        }
-
         if (is_null($this->_available)) {
             $this->_available = $this->isShow();
         }
@@ -163,16 +158,4 @@ public function getSeverityText()
     {
         return strtolower(str_replace('SEVERITY_', '', $this->getNoticeSeverity()));
     }
-
-    /**
-     * Check if current block allowed in ACL
-     *
-     * @param string $resourcePath
-     * @return bool
-     */
-    protected function _isAllowed()
-    {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')
-            ->isAllowed('Mage_AdminNotification::show_toolbar');
-    }
 }

app/code/core/Mage/Adminhtml/Block/Sales/Creditmemo/Grid.php

@@ -144,7 +144,7 @@ protected function _prepareMassaction()
 
     public function getRowUrl($row)
     {
-        if (!Mage::getSingleton('Mage_Backend_Model_Auth_Session')
+        if (!Mage::getSingleton('Mage_Core_Model_Authorization')
             ->isAllowed(Mage_Backend_Model_Acl_Config::ACL_RESOURCE_ALL)
         ) {
             return false;

app/code/core/Mage/Adminhtml/Block/Sales/Invoice/Grid.php

@@ -145,7 +145,7 @@ protected function _prepareMassaction()
 
     public function getRowUrl($row)
     {
-        if (!Mage::getSingleton('Mage_Backend_Model_Auth_Session')
+        if (!Mage::getSingleton('Mage_Core_Model_Authorization')
             ->isAllowed(Mage_Backend_Model_Acl_Config::ACL_RESOURCE_ALL)
         ) {
             return false;

app/code/core/Mage/Adminhtml/Block/Sales/Items/Abstract.php

@@ -486,7 +486,7 @@ public function canEditQty()
 
     public function canCapture()
     {
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::capture')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::capture')) {
             return $this->getInvoice()->canCapture();
         }
         return false;

app/code/core/Mage/Adminhtml/Block/Sales/Order.php

@@ -40,7 +40,7 @@ public function __construct()
         $this->_headerText = Mage::helper('Mage_Sales_Helper_Data')->__('Orders');
         $this->_addButtonLabel = Mage::helper('Mage_Sales_Helper_Data')->__('Create New Order');
         parent::__construct();
-        if (!Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::create')) {
+        if (!Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::create')) {
             $this->_removeButton('add');
         }
     }

app/code/core/Mage/Adminhtml/Block/Sales/Order/Creditmemo/View.php

@@ -229,6 +229,6 @@ public function updateBackButtonUrl($flag)
      */
     public function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 }

app/code/core/Mage/Adminhtml/Block/Sales/Order/Grid.php

@@ -120,7 +120,7 @@ protected function _prepareColumns()
             'options' => Mage::getSingleton('Mage_Sales_Model_Order_Config')->getStatuses(),
         ));
 
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::actions_view')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::actions_view')) {
             $this->addColumn('action',
                 array(
                     'header'    => Mage::helper('Mage_Sales_Helper_Data')->__('Action'),
@@ -154,21 +154,21 @@ protected function _prepareMassaction()
         $this->getMassactionBlock()->setFormFieldName('order_ids');
         $this->getMassactionBlock()->setUseSelectAll(false);
 
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::cancel')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::cancel')) {
             $this->getMassactionBlock()->addItem('cancel_order', array(
                  'label'=> Mage::helper('Mage_Sales_Helper_Data')->__('Cancel'),
                  'url'  => $this->getUrl('*/sales_order/massCancel'),
             ));
         }
 
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::hold')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::hold')) {
             $this->getMassactionBlock()->addItem('hold_order', array(
                  'label'=> Mage::helper('Mage_Sales_Helper_Data')->__('Hold'),
                  'url'  => $this->getUrl('*/sales_order/massHold'),
             ));
         }
 
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::unhold')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::unhold')) {
             $this->getMassactionBlock()->addItem('unhold_order', array(
                  'label'=> Mage::helper('Mage_Sales_Helper_Data')->__('Unhold'),
                  'url'  => $this->getUrl('*/sales_order/massUnhold'),
@@ -205,7 +205,7 @@ protected function _prepareMassaction()
 
     public function getRowUrl($row)
     {
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::actions_view')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::actions_view')) {
             return $this->getUrl('*/sales_order/view', array('order_id' => $row->getId()));
         }
         return false;

app/code/core/Mage/Adminhtml/Block/Sales/Order/Invoice/Create/Items.php

@@ -194,7 +194,7 @@ public function canEditQty()
      */
     public function isCaptureAllowed()
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::capture');
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::capture');
     }
 
     /**

app/code/core/Mage/Adminhtml/Block/Sales/Order/Invoice/View.php

@@ -207,6 +207,6 @@ public function updateBackButtonUrl($flag)
      */
     protected function _isAllowedAction($resourceId)
     {
-        return $this->_session->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 }

app/code/core/Mage/Adminhtml/Block/Sales/Order/Shipment/View.php

@@ -48,7 +48,7 @@ public function __construct()
             return;
         }
 
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::emails')) {
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::emails')) {
             $this->_updateButton('save', 'label', Mage::helper('Mage_Sales_Helper_Data')->__('Send Tracking Information'));
             $this->_updateButton('save',
                 'onclick', "deleteConfirm('"

app/code/core/Mage/Adminhtml/Block/Sales/Order/View.php

@@ -278,7 +278,7 @@ public function getVoidPaymentUrl()
 
     protected function _isAllowedAction($resourceId)
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed($resourceId);
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed($resourceId);
     }
 
     /**

app/code/core/Mage/Adminhtml/Block/Sales/Order/View/History.php

@@ -70,7 +70,7 @@ public function getOrder()
 
     public function canAddComment()
     {
-        return Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::comment') &&
+        return Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::comment') &&
                $this->getOrder()->canComment();
     }
 

app/code/core/Mage/Adminhtml/Block/Sales/Order/View/Tab/Transactions.php

@@ -93,6 +93,6 @@ public function canShowTab()
      */
     public function isHidden()
     {
-        return !Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::transactions_fetch');
+        return !Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::transactions_fetch');
     }
 }

app/code/core/Mage/Adminhtml/Block/Sales/Shipment/Grid.php

@@ -139,7 +139,7 @@ protected function _prepareColumns()
      */
     public function getRowUrl($row)
     {
-        if (!Mage::getSingleton('Mage_Backend_Model_Auth_Session')
+        if (!Mage::getSingleton('Mage_Core_Model_Authorization')
             ->isAllowed(Mage_Backend_Model_Acl_Config::ACL_RESOURCE_ALL)
         ) {
             return false;

app/code/core/Mage/Adminhtml/Block/Sales/Transactions/Detail.php

@@ -60,7 +60,7 @@ public function __construct()
             'class'   => 'back'
         ));
 
-        if (Mage::getSingleton('Mage_Backend_Model_Auth_Session')->isAllowed('Mage_Sales::transactions_fetch')
+        if (Mage::getSingleton('Mage_Core_Model_Authorization')->isAllowed('Mage_Sales::transactions_fetch')
             && $this->_txn->getOrderPaymentObject()->getMethodInstance()->canFetchTransactionInfo()) {
             $fetchUrl = $this->getUrl('*/*/fetch' , array('_current' => true));
             $this->_addButton('fetch', array(

app/code/core/Mage/Adminhtml/Block/System/Config/Tabs.php

@@ -327,7 +327,7 @@ public function checkSectionPermissions($aclResourceId=null)
         }
 
         if (!$permissions) {
-            $permissions = Mage::getSingleton('Mage_Backend_Model_Auth_Session');
+            $permissions = Mage::getSingleton('Mage_Core_Model_Authorization');
         }
 
         $showTab = false;