Magento 2: Admin user with restricted access can access everything via API?
1
I have created an admin user to manage my orders and granted the access for order view action only. (as below)
But the user can generate token via API and access all order i.e view, delete, etc resources.
How to restrict the access to orders view only?
magento2 php magento2.3
asked yesterday
Milind SinghMilind Singh
628115
add a comment |
1
I have created an admin user to manage my orders and granted the access for order view action only. (as below)
But the user can generate token via API and access all order i.e view, delete, etc resources.
How to restrict the access to orders view only?
magento2 php magento2.3
asked yesterday
Milind SinghMilind Singh
628115
add a comment |
1
1
1
I have created an admin user to manage my orders and granted the access for order view action only. (as below)
But the user can generate token via API and access all order i.e view, delete, etc resources.
How to restrict the access to orders view only?
magento2 php magento2.3
asked yesterday
Milind SinghMilind Singh
628115
I have created an admin user to manage my orders and granted the access for order view action only. (as below)
But the user can generate token via API and access all order i.e view, delete, etc resources.
How to restrict the access to orders view only?
magento2 php magento2.3
magento2 php magento2.3
asked yesterday
Milind SinghMilind Singh
628115
asked yesterday
Milind SinghMilind Singh
628115
edited yesterday
Milind Singh
asked yesterday
Milind SinghMilind Singh
628115
asked yesterday
Milind SinghMilind Singh
628115
asked yesterday
Milind SinghMilind Singh
628115
628115
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
2
I resolved the issue, it was core Magento bug.
Admin user with restricted "order create" access can "view", "cancel", etc via API
To fix I need to update the webapi.xml in Sales module.
<?xml version="1.0"?>
<!--
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
-->
<routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Webapi:etc/webapi.xsd">
<route url="/V1/orders/:id" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/statuses" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getStatus"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/cancel" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::cancel" />
</resources>
</route>
<route url="/V1/orders/:id/emails" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::emails" />
</resources>
</route>
<route url="/V1/orders/:id/hold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="hold"/>
<resources>
<resource ref="Magento_Sales::hold" />
</resources>
</route>
<route url="/V1/orders/:id/unhold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="unHold"/>
<resources>
<resource ref="Magento_Sales::unhold" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="addComment"/>
<resources>
<resource ref="Magento_Sales::comment" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/create" method="PUT">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/:parent_id" method="PUT">
<service class="MagentoSalesApiOrderAddressRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/items/:id" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/items" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/invoices/:id" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/comments" method="GET">
<service class="MagentoSalesApiInvoiceManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/emails" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/void" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setVoid"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/capture" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setCapture"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/comments" method="POST">
<service class="MagentoSalesApiInvoiceCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/" method="POST">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoice/:invoiceId/refund" method="POST">
<service class="MagentoSalesApiRefundInvoiceInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="GET">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemos" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="PUT">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/emails" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/refund" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="refund"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="POST">
<service class="MagentoSalesApiCreditmemoCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo" method="POST">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/order/:orderId/refund" method="POST">
<service class="MagentoSalesApiRefundOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::creditmemo" />
</resources>
</route>
<route url="/V1/shipment/:id" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipments" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="POST">
<service class="MagentoSalesApiShipmentCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/emails" method="POST">
<service class="MagentoSalesApiShipmentManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track" method="POST">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track/:id" method="DELETE">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="deleteById"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/" method="POST">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/label" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getLabel"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/order/:orderId/ship" method="POST">
<service class="MagentoSalesApiShipOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::ship" />
</resources>
</route>
<route url="/V1/orders/" method="POST">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/transactions/:id" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/transactions" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/order/:orderId/invoice" method="POST">
<service class="MagentoSalesApiInvoiceOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::invoice" />
</resources>
</route>
</routes>
The PR is #20170 and will be merged in 2.3.1 release.
answered 5 hours ago
Milind SinghMilind Singh
628115
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f257361%2fmagento-2-admin-user-with-restricted-access-can-access-everything-via-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
2
I resolved the issue, it was core Magento bug.
Admin user with restricted "order create" access can "view", "cancel", etc via API
To fix I need to update the webapi.xml in Sales module.
<?xml version="1.0"?>
<!--
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
-->
<routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Webapi:etc/webapi.xsd">
<route url="/V1/orders/:id" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/statuses" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getStatus"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/cancel" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::cancel" />
</resources>
</route>
<route url="/V1/orders/:id/emails" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::emails" />
</resources>
</route>
<route url="/V1/orders/:id/hold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="hold"/>
<resources>
<resource ref="Magento_Sales::hold" />
</resources>
</route>
<route url="/V1/orders/:id/unhold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="unHold"/>
<resources>
<resource ref="Magento_Sales::unhold" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="addComment"/>
<resources>
<resource ref="Magento_Sales::comment" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/create" method="PUT">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/:parent_id" method="PUT">
<service class="MagentoSalesApiOrderAddressRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/items/:id" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/items" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/invoices/:id" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/comments" method="GET">
<service class="MagentoSalesApiInvoiceManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/emails" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/void" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setVoid"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/capture" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setCapture"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/comments" method="POST">
<service class="MagentoSalesApiInvoiceCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/" method="POST">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoice/:invoiceId/refund" method="POST">
<service class="MagentoSalesApiRefundInvoiceInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="GET">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemos" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="PUT">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/emails" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/refund" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="refund"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="POST">
<service class="MagentoSalesApiCreditmemoCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo" method="POST">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/order/:orderId/refund" method="POST">
<service class="MagentoSalesApiRefundOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::creditmemo" />
</resources>
</route>
<route url="/V1/shipment/:id" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipments" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="POST">
<service class="MagentoSalesApiShipmentCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/emails" method="POST">
<service class="MagentoSalesApiShipmentManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track" method="POST">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track/:id" method="DELETE">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="deleteById"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/" method="POST">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/label" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getLabel"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/order/:orderId/ship" method="POST">
<service class="MagentoSalesApiShipOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::ship" />
</resources>
</route>
<route url="/V1/orders/" method="POST">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/transactions/:id" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/transactions" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/order/:orderId/invoice" method="POST">
<service class="MagentoSalesApiInvoiceOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::invoice" />
</resources>
</route>
</routes>
The PR is #20170 and will be merged in 2.3.1 release.
answered 5 hours ago
Milind SinghMilind Singh
628115
add a comment |
2
I resolved the issue, it was core Magento bug.
Admin user with restricted "order create" access can "view", "cancel", etc via API
To fix I need to update the webapi.xml in Sales module.
<?xml version="1.0"?>
<!--
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
-->
<routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Webapi:etc/webapi.xsd">
<route url="/V1/orders/:id" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/statuses" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getStatus"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/cancel" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::cancel" />
</resources>
</route>
<route url="/V1/orders/:id/emails" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::emails" />
</resources>
</route>
<route url="/V1/orders/:id/hold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="hold"/>
<resources>
<resource ref="Magento_Sales::hold" />
</resources>
</route>
<route url="/V1/orders/:id/unhold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="unHold"/>
<resources>
<resource ref="Magento_Sales::unhold" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="addComment"/>
<resources>
<resource ref="Magento_Sales::comment" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/create" method="PUT">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/:parent_id" method="PUT">
<service class="MagentoSalesApiOrderAddressRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/items/:id" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/items" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/invoices/:id" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/comments" method="GET">
<service class="MagentoSalesApiInvoiceManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/emails" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/void" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setVoid"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/capture" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setCapture"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/comments" method="POST">
<service class="MagentoSalesApiInvoiceCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/" method="POST">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoice/:invoiceId/refund" method="POST">
<service class="MagentoSalesApiRefundInvoiceInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="GET">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemos" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="PUT">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/emails" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/refund" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="refund"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="POST">
<service class="MagentoSalesApiCreditmemoCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo" method="POST">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/order/:orderId/refund" method="POST">
<service class="MagentoSalesApiRefundOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::creditmemo" />
</resources>
</route>
<route url="/V1/shipment/:id" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipments" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="POST">
<service class="MagentoSalesApiShipmentCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/emails" method="POST">
<service class="MagentoSalesApiShipmentManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track" method="POST">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track/:id" method="DELETE">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="deleteById"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/" method="POST">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/label" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getLabel"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/order/:orderId/ship" method="POST">
<service class="MagentoSalesApiShipOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::ship" />
</resources>
</route>
<route url="/V1/orders/" method="POST">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/transactions/:id" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/transactions" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/order/:orderId/invoice" method="POST">
<service class="MagentoSalesApiInvoiceOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::invoice" />
</resources>
</route>
</routes>
The PR is #20170 and will be merged in 2.3.1 release.
answered 5 hours ago
Milind SinghMilind Singh
628115
add a comment |
2
2
2
I resolved the issue, it was core Magento bug.
Admin user with restricted "order create" access can "view", "cancel", etc via API
To fix I need to update the webapi.xml in Sales module.
<?xml version="1.0"?>
<!--
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
-->
<routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Webapi:etc/webapi.xsd">
<route url="/V1/orders/:id" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/statuses" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getStatus"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/cancel" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::cancel" />
</resources>
</route>
<route url="/V1/orders/:id/emails" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::emails" />
</resources>
</route>
<route url="/V1/orders/:id/hold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="hold"/>
<resources>
<resource ref="Magento_Sales::hold" />
</resources>
</route>
<route url="/V1/orders/:id/unhold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="unHold"/>
<resources>
<resource ref="Magento_Sales::unhold" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="addComment"/>
<resources>
<resource ref="Magento_Sales::comment" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/create" method="PUT">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/:parent_id" method="PUT">
<service class="MagentoSalesApiOrderAddressRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/items/:id" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/items" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/invoices/:id" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/comments" method="GET">
<service class="MagentoSalesApiInvoiceManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/emails" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/void" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setVoid"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/capture" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setCapture"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/comments" method="POST">
<service class="MagentoSalesApiInvoiceCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/" method="POST">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoice/:invoiceId/refund" method="POST">
<service class="MagentoSalesApiRefundInvoiceInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="GET">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemos" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="PUT">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/emails" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/refund" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="refund"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="POST">
<service class="MagentoSalesApiCreditmemoCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo" method="POST">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/order/:orderId/refund" method="POST">
<service class="MagentoSalesApiRefundOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::creditmemo" />
</resources>
</route>
<route url="/V1/shipment/:id" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipments" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="POST">
<service class="MagentoSalesApiShipmentCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/emails" method="POST">
<service class="MagentoSalesApiShipmentManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track" method="POST">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track/:id" method="DELETE">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="deleteById"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/" method="POST">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/label" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getLabel"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/order/:orderId/ship" method="POST">
<service class="MagentoSalesApiShipOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::ship" />
</resources>
</route>
<route url="/V1/orders/" method="POST">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/transactions/:id" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/transactions" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/order/:orderId/invoice" method="POST">
<service class="MagentoSalesApiInvoiceOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::invoice" />
</resources>
</route>
</routes>
The PR is #20170 and will be merged in 2.3.1 release.
answered 5 hours ago
Milind SinghMilind Singh
628115
I resolved the issue, it was core Magento bug.
Admin user with restricted "order create" access can "view", "cancel", etc via API
To fix I need to update the webapi.xml in Sales module.
<?xml version="1.0"?>
<!--
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
-->
<routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Webapi:etc/webapi.xsd">
<route url="/V1/orders/:id" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders" method="GET">
<service class="MagentoSalesApiOrderRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/statuses" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getStatus"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/:id/cancel" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::cancel" />
</resources>
</route>
<route url="/V1/orders/:id/emails" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::emails" />
</resources>
</route>
<route url="/V1/orders/:id/hold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="hold"/>
<resources>
<resource ref="Magento_Sales::hold" />
</resources>
</route>
<route url="/V1/orders/:id/unhold" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="unHold"/>
<resources>
<resource ref="Magento_Sales::unhold" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="POST">
<service class="MagentoSalesApiOrderManagementInterface" method="addComment"/>
<resources>
<resource ref="Magento_Sales::comment" />
</resources>
</route>
<route url="/V1/orders/:id/comments" method="GET">
<service class="MagentoSalesApiOrderManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/create" method="PUT">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/:parent_id" method="PUT">
<service class="MagentoSalesApiOrderAddressRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/orders/items/:id" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/orders/items" method="GET">
<service class="MagentoSalesApiOrderItemRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::actions_view" />
</resources>
</route>
<route url="/V1/invoices/:id" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices" method="GET">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/comments" method="GET">
<service class="MagentoSalesApiInvoiceManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/emails" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/void" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setVoid"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/:id/capture" method="POST">
<service class="MagentoSalesApiInvoiceManagementInterface" method="setCapture"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/comments" method="POST">
<service class="MagentoSalesApiInvoiceCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoices/" method="POST">
<service class="MagentoSalesApiInvoiceRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/invoice/:invoiceId/refund" method="POST">
<service class="MagentoSalesApiRefundInvoiceInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::sales_invoice" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="GET">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemos" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="GET">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id" method="PUT">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="cancel"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/emails" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/refund" method="POST">
<service class="MagentoSalesApiCreditmemoManagementInterface" method="refund"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo/:id/comments" method="POST">
<service class="MagentoSalesApiCreditmemoCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/creditmemo" method="POST">
<service class="MagentoSalesApiCreditmemoRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::sales_creditmemo" />
</resources>
</route>
<route url="/V1/order/:orderId/refund" method="POST">
<service class="MagentoSalesApiRefundOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::creditmemo" />
</resources>
</route>
<route url="/V1/shipment/:id" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipments" method="GET">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getCommentsList"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/comments" method="POST">
<service class="MagentoSalesApiShipmentCommentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/emails" method="POST">
<service class="MagentoSalesApiShipmentManagementInterface" method="notify"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track" method="POST">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/track/:id" method="DELETE">
<service class="MagentoSalesApiShipmentTrackRepositoryInterface" method="deleteById"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/" method="POST">
<service class="MagentoSalesApiShipmentRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/shipment/:id/label" method="GET">
<service class="MagentoSalesApiShipmentManagementInterface" method="getLabel"/>
<resources>
<resource ref="Magento_Sales::shipment" />
</resources>
</route>
<route url="/V1/order/:orderId/ship" method="POST">
<service class="MagentoSalesApiShipOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::ship" />
</resources>
</route>
<route url="/V1/orders/" method="POST">
<service class="MagentoSalesApiOrderRepositoryInterface" method="save"/>
<resources>
<resource ref="Magento_Sales::create" />
</resources>
</route>
<route url="/V1/transactions/:id" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="get"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/transactions" method="GET">
<service class="MagentoSalesApiTransactionRepositoryInterface" method="getList"/>
<resources>
<resource ref="Magento_Sales::transactions_fetch" />
</resources>
</route>
<route url="/V1/order/:orderId/invoice" method="POST">
<service class="MagentoSalesApiInvoiceOrderInterface" method="execute"/>
<resources>
<resource ref="Magento_Sales::invoice" />
</resources>
</route>
</routes>
The PR is #20170 and will be merged in 2.3.1 release.
answered 5 hours ago
Milind SinghMilind Singh
628115
answered 5 hours ago
Milind SinghMilind Singh
628115
answered 5 hours ago
Milind SinghMilind Singh
628115
answered 5 hours ago
Milind SinghMilind Singh
628115
628115
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f257361%2fmagento-2-admin-user-with-restricted-access-can-access-everything-via-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
