An inconsistency in the config section ACL resource handling: a non-existent ACL resource is always allowed, but a config section without a resource is always forbidden

dmitrii_fediuk · October 4, 2015, 9:03pm

Magento 2 config sections are assigned to ACL resources. An example:

magento/magento2/blob/c3ae167b012bdeb6bbf2f697e8ef89831dd04555/app/code/Magento/Backend/etc/adminhtml/system.xml#L232


        <label>Static Files Settings</label>
        <field id="sign" translate="label" type="select" sortOrder="10" showInDefault="1" showInWebsite="0" showInStore="0">
            <label>Sign Static Files</label>
            <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
        </field>
    </group>
</section>
<section id="general" translate="label" type="text" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="1">
    <label>General</label>
    <tab>general</tab>
    <resource>Magento_Config::config_general</resource>
    <group id="country" translate="label" type="text" sortOrder="1" showInDefault="1" showInWebsite="1" showInStore="1">
        <label>Country Options</label>
        <field id="allow" translate="label" type="multiselect" sortOrder="2" showInDefault="1" showInWebsite="1" showInStore="1">
            <label>Allow Countries</label>
            <source_model>Magento\Directory\Model\Config\Source\Country</source_model>
            <can_be_empty>1</can_be_empty>
        </field>
        <field id="default" translate="label" type="select" sortOrder="1" showInDefault="1" showInWebsite="1" showInStore="1">
            <label>Default Country</label>
            <source_model>Magento\Directory\Model\Config\Source\Country</source_model>

The resource tag is not required by the XSD:

github.com

magento/magento2/blob/c3ae167b012bdeb6bbf2f697e8ef89831dd04555/app/code/Magento/Config/etc/system_file.xsd#L101-L109


<xs:choice minOccurs="0" maxOccurs="unbounded">
    <xs:element name="label" type="xs:string" />
    <xs:element name="class" type="xs:string" />
    <xs:element name="tab" type="typeTabId" />
    <xs:element name="header_css" type="xs:string" />
    <xs:element name="resource" type="typeAclResourceId" />
    <xs:element ref="group" />
    <xs:element name="include" type="includeType"/>
</xs:choice>

If the resource tag is absent then the config section is always forbidden:

github.com

magento/magento2/blob/c3ae167b012bdeb6bbf2f697e8ef89831dd04555/app/code/Magento/Config/Model/Config/Structure/Element/Section.php#L48


    return isset($this->_data['header_css']) ? $this->_data['header_css'] : '';
}
/**
 * Check whether section is allowed for current user
 *
 * @return bool
 */
public function isAllowed()
{
    return isset($this->_data['resource']) ? $this->_authorization->isAllowed($this->_data['resource']) : false;
}
/**
 * Check whether element should be displayed
 *
 * @return bool
 */
public function isVisible()
{
    if (!$this->isAllowed()) {

If the resource tag is specified but is not exists (for example: Absent_Absent::absent) then the config tab is always allowed.

This is inconsistency.
It would be more consistent to allow access to a config section in case the section has no resource tag:

return isset($this->_data['resource']) ? $this->_authorization->isAllowed($this->_data['resource']) : true;

GitHub issue: 2024