@@ -21,3 +21,247 @@ menu.xml - `urn:magento:module:Magento_Backend:/etc/menu.xsd` - flat structure
2121- just set one of top level parents, e.g. 'Magento_Backend::system'
2222
2323* How do menu items relate to ACL permissions?*
24+
25+ ## Describe how to check for permissions in the permissions management tree structures.
26+ * How would you add a new user with a given set of permissions?*
27+
28+ - System > Permissions > User Roles has all the differnet roles and associated permissions. Each role can be scoped to Website level and granular permissions based on resource options.
29+ - System > Permissions > All Users to view and create new users and associate to a role. There are two tabs 1 is user info the other is User Role where you define the Role for this user. You can only select 1 role per user.
30+
31+ * How can you do that programmatically?*
32+ - You can leverage \Magento\Authorization\Model\Acl\AclRetriever. That as a few methods that will help
33+
34+ ``` php
35+ /**
36+ * Get a list of available resources using user details
37+ *
38+ * @param string $userType
39+ * @param int $userId
40+ * @return string[]
41+ * @throws AuthorizationException
42+ * @throws LocalizedException
43+ */
44+ public function getAllowedResourcesByUser($userType, $userId)
45+ {
46+ if ($userType == UserContextInterface::USER_TYPE_GUEST) {
47+ return [self::PERMISSION_ANONYMOUS];
48+ } elseif ($userType == UserContextInterface::USER_TYPE_CUSTOMER) {
49+ return [self::PERMISSION_SELF];
50+ }
51+ try {
52+ $role = $this->_getUserRole($userType, $userId);
53+ if (!$role) {
54+ throw new AuthorizationException(
55+ __('We can\'t find the role for the user you wanted.')
56+ );
57+ }
58+ $allowedResources = $this->getAllowedResourcesByRole($role->getId());
59+ } catch (AuthorizationException $e) {
60+ throw $e;
61+ } catch (\Exception $e) {
62+ $this->logger->critical($e);
63+ throw new LocalizedException(
64+ __(
65+ 'Something went wrong while compiling a list of allowed resources. '
66+ . 'You can find out more in the exceptions log.'
67+ )
68+ );
69+ }
70+ return $allowedResources;
71+ }
72+
73+ /**
74+ * Get a list of available resource using user role id
75+ *
76+ * @param string $roleId
77+ * @return string[]
78+ */
79+ public function getAllowedResourcesByRole($roleId)
80+ {
81+ $allowedResources = [];
82+ $rulesCollection = $this->rulesCollectionFactory->create();
83+ $rulesCollection->getByRoles($roleId)->load();
84+ $acl = $this->aclBuilder->getAcl();
85+ /** @var \Magento\Authorization\Model\Rules $ruleItem */
86+ foreach ($rulesCollection->getItems() as $ruleItem) {
87+ $resourceId = $ruleItem->getResourceId();
88+ if ($acl->has($resourceId) && $acl->isAllowed($roleId, $resourceId)) {
89+ $allowedResources[] = $resourceId;
90+ }
91+ }
92+ return $allowedResources;
93+ }
94+ ```
95+
96+ However the actual code to set privilage permission may look like this in the core code
97+ vendor/magento/magento2-base/setup/src/Magento/Setup/Fixtures/AdminUsersFixture.php
98+
99+ In particular this section:
100+
101+ ``` php
102+ $adminUser = $this->userFactory->create();
103+ $adminUser->setRoleId($role->getId())
104+ ->setEmail('admin' . $i . '@example.com')
105+ ->setFirstName('Firstname')
106+ ->setLastName('Lastname')
107+ ->setUserName('admin' . $i)
108+ ->setPassword('123123q')
109+ ->setIsActive(1);
110+ $adminUser->save();
111+ ```
112+
113+ ``` php
114+ <?php
115+ /**
116+ * Copyright © Magento, Inc. All rights reserved.
117+ * See COPYING.txt for license details.
118+ */
119+
120+ namespace Magento\Setup\Fixtures;
121+
122+ use Magento\Authorization\Model\Acl\Role\Group;
123+ use Magento\Authorization\Model\RoleFactory;
124+ use Magento\Authorization\Model\RulesFactory;
125+ use Magento\Authorization\Model\UserContextInterface;
126+ use Magento\Framework\Acl\RootResource;
127+ use Magento\User\Model\ResourceModel\User\CollectionFactory as UserCollectionFactory;
128+ use Magento\User\Model\UserFactory;
129+
130+ /**
131+ * Generate admin users
132+ *
133+ * Support the following format:
134+ * <!-- Number of admin users -->
135+ * <admin _users >{int}</admin _users >
136+ */
137+ class AdminUsersFixture extends Fixture
138+ {
139+ /**
140+ * @var int
141+ */
142+ protected $priority = 5;
143+
144+ /**
145+ * @var UserFactory
146+ */
147+ private $userFactory;
148+
149+ /**
150+ * @var RoleFactory
151+ */
152+ private $roleFactory;
153+
154+ /**
155+ * @var UserCollectionFactory
156+ */
157+ private $userCollectionFactory;
158+
159+ /**
160+ * @var RulesFactory
161+ */
162+ private $rulesFactory;
163+
164+ /**
165+ * @var RootResource
166+ */
167+ private $rootResource;
168+
169+ /**
170+ * @param FixtureModel $fixtureModel
171+ * @param UserFactory $userFactory
172+ * @param UserCollectionFactory $userCollectionFactory
173+ * @param RoleFactory $roleFactory
174+ * @param RulesFactory $rulesFactory
175+ * @param RootResource $rootResource
176+ */
177+ public function __construct(
178+ FixtureModel $fixtureModel,
179+ UserFactory $userFactory,
180+ UserCollectionFactory $userCollectionFactory,
181+ RoleFactory $roleFactory,
182+ RulesFactory $rulesFactory,
183+ RootResource $rootResource
184+ ) {
185+ parent::__construct($fixtureModel);
186+ $this->userFactory = $userFactory;
187+ $this->roleFactory = $roleFactory;
188+ $this->userCollectionFactory = $userCollectionFactory;
189+ $this->rulesFactory = $rulesFactory;
190+ $this->rootResource = $rootResource;
191+ }
192+
193+ /**
194+ * {@inheritdoc}
195+ */
196+ public function execute()
197+ {
198+ $adminUsersNumber = $this->fixtureModel->getValue('admin_users', 0);
199+ $adminUsersStartIndex = $this->userCollectionFactory->create()->getSize();
200+
201+ if ($adminUsersStartIndex >= $adminUsersNumber) {
202+ return;
203+ }
204+
205+ $role = $this->createAdministratorRole();
206+
207+ for ($i = $adminUsersStartIndex; $i <= $adminUsersNumber; $i++) {
208+ $adminUser = $this->userFactory->create();
209+ $adminUser->setRoleId($role->getId())
210+ ->setEmail('admin' . $i . '@example.com')
211+ ->setFirstName('Firstname')
212+ ->setLastName('Lastname')
213+ ->setUserName('admin' . $i)
214+ ->setPassword('123123q')
215+ ->setIsActive(1);
216+ $adminUser->save();
217+ }
218+ }
219+
220+ /**
221+ * {@inheritdoc}
222+ */
223+ public function getActionTitle()
224+ {
225+ return 'Generating admin users';
226+ }
227+
228+ /**
229+ * {@inheritdoc}
230+ */
231+ public function introduceParamLabels()
232+ {
233+ return [
234+ 'admin_users' => 'Admin Users'
235+ ];
236+ }
237+
238+ /**
239+ * Create administrator role with all privileges.
240+ *
241+ * @return \Magento\Authorization\Model\Role
242+ */
243+ private function createAdministratorRole()
244+ {
245+ $role = $this->roleFactory->create();
246+ $role->setParentId(0)
247+ ->setTreeLevel(1)
248+ ->setSortOrder(1)
249+ ->setRoleType(Group::ROLE_TYPE)
250+ ->setUserId(0)
251+ ->setUserType(UserContextInterface::USER_TYPE_ADMIN)
252+ ->setRoleName('Example Administrator');
253+ $role->save();
254+
255+ /** @var \Magento\Authorization\Model\Rules $rule */
256+ $rule = $this->rulesFactory->create();
257+ $rule->setRoleId($role->getId())
258+ ->setResourceId($this->rootResource->getId())
259+ ->setPrivilegies(null)
260+ ->setPermission('allow');
261+ $rule->save();
262+
263+ return $role;
264+ }
265+ }
266+
267+ ```
0 commit comments