New/Custom ACL rules have dangerous defaults about magento2 HOT 3 OPEN

Hi @vandijkstef. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

• @magento give me 2.4-develop instance - upcoming 2.4.x release
• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

from magento2.

Hi @vandijkstef ,
Thank you for reporting and collaboration,

Verified the issue in 2.4-develop instance and the issue is not reproducible, Kindly refer below the screenshots:

We followed the steps you mentioned.:

• Created a new module
• Assigned ACL rule to the module
• Created API route to that module
• Created 2 users, admin and admin2
• Admin has access to everything.
• Admin2 do not have access to the new module.
• We called the API endpoints in postman using access token.
• As we can see admin can access the API
• Here admin2 cannot access the resource as he do not have permission.

Hence we can see that ACL rules are working fine.

Let us know if we are missing anything!

Thanks

from magento2.

The only thing that is different is that you created and configured users AFTER installing the module/new ACL's, so Magento was already aware of these permission rules and set them up correctly for these users.

I was referring to already EXISTING users with a limited permission set and specifically NOT saving the user after installing the new module, as the user save action is repairing/restoring the ACL permissions for that user.

Essentially, because there is no 'deny' entry in the database for that ACL/User combo, access is granted. So you could likely reproduce by removing that entry in DB as well.

from magento2.