Table of Contents for
Magento 2 Development Quick Start Guide

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Magento 2 Development Quick Start Guide by Branko Ajzele Published by Packt Publishing, 2018
  1. Magento 2 Development Quick Start Guide
  2. Title Page
  3. Copyright and Credits
  4. Magento 2 Development Quick Start Guide
  5. Packt Upsell
  6. Why subscribe?
  7. Packt.com
  8. Contributors
  9. About the author
  10. About the reviewer
  11. Packt is searching for authors like you
  12. Table of Contents
  13. Preface
  14. Who this book is for
  15. What this book covers
  16. To get the most out of this book
  17. Download the example code files
  18. Code in Action
  19. Conventions used
  20. Get in touch
  21. Reviews
  22. Understanding the Magento Architecture
  23. Technical requirements
  24. Installing Magento
  25. Modes
  26. Areas
  27. Request flow processing
  28. Modules
  29. Creating the minimal module
  30. Cache
  31. Dependency injection
  32. Argument injection
  33. Virtual types
  34. Proxies
  35. Factories
  36. Plugins
  37. The before plugin
  38. The around plugin
  39. The after plugin
  40. Events and observers
  41. Console commands
  42. Cron jobs
  43. Summary
  44. Working with Entities
  45. Technical requirements
  46. Understanding types of models
  47. Creating a simple model
  48. Methods worth memorizing
  49. Working with setup scripts
  50. The InstallSchema script
  51. The UpgradeSchema script
  52. The Recurring script
  53. The InstallData script
  54. The UpgradeData script
  55. The RecurringData script
  56. Extending entities
  57. Creating extension attributes
  58. Summary
  59. Understanding Web APIs
  60. Technical requirements
  61. Types of users
  62. Types of authentication
  63. Types of APIs
  64. Using existing web APIs
  65. Creating custom web APIs
  66. Understanding search criteria
  67. Summary
  68. Building and Distributing Extensions
  69. Technical requirements
  70. Building a shipping extension
  71. Distributing via GitHub
  72. Distributing via Packagist
  73. Summary
  74. Developing for Admin
  75. Technical requirements
  76. Using the listing component
  77. Using the form component
  78. Summary
  79. Developing for Storefront
  80. Technical requirements
  81. Setting up the playground
  82. Calling and initializing JS components
  83. Meet RequireJS
  84. Replacing jQuery widget components
  85. Extending jQuery widget components
  86. Creating jQuery widgets components
  87. Creating UI/KnockoutJS components
  88. Extending UI/KnockoutJS components
  89. Summary
  90. Customizing Catalog Behavior
  91. Technical requirements
  92. Creating the size guide
  93. Creating the same day delivery
  94. Flagging new products
  95. Summary
  96. Customizing Checkout Experiences
  97. Technical requirements
  98. Passing data to the checkout
  99. Adding order notes to the checkout
  100. Summary
  101. Customizing Customer Interactions
  102. Technical requirements
  103. Understanding the section mechanism
  104. Adding contact preferences to customer accounts
  105. Adding contact preferences to the checkout
  106. Summary
  107. Other Books You May Enjoy
  108. Leave a review - let other readers know what you think

Types of users

The Magento web API framework differentiates three fundamental types of users:

  • Guest: Authorized against an anonymous resource:
<resources>
  <resource ref="anonymous" />
</resources>
  • Customer: Authorized against a self resource:
<resources>
  <resource ref="self"/>
</resources>
  • Integrator: Authorized against a specific resource defined in acl.xml:
<resources>
  <resource ref="Magento_Cms::save"" />
</resources>

To further understand what this means, we need to understand the link between <VendorName>/<ModuleName>/acl.xml and <VendorName>/<ModuleName>/webapi.xml.

The acl.xml is where we define our access resources. Let's take a closer look at the partial extract of one such resource, defined in the <MAGENTO_DIR>/module-cms/etc/acl.xml file:

<config>
  <acl>
    <resources>
      <resource id="Magento_Backend::admin">
        <resource id="Magento_Backend::content">
          <resource id="Magento_Backend::content_elements">
            <resource id="Magento_Cms::page" title="Pages">
              <resource id="Magento_Cms::save" title="Save Page"/>
            </resource>
          </resource>
        </resource>
      </resource>
    </resources>
  </acl>
</config>

Our focus here is on the Magento_Cms::save resource. Magento merges all of these individual acl.xml files into one big ACL tree. We can see this tree in two places in the Magento admin area:

  • The Role Resource tab of the System | Permissions | User Roles | Edit | Add New Role screen
  • The API tab of the System | Extensions | Integrations | Edit | Add New Integration screen:

These are the two screens where we define access permissions for a standard admin user and a special web API integrator user. This is not to say that a standard admin user cannot execute web API calls. The difference will become more obvious when we get to the Types of authentication section.

To this point, these resources don't really do anything on their own. Simply defining them within acl.xml won't magically make a CMS page in this case access-protected, or anything like that. This is where controllers come into the mix, as one example of an access-controlling mechanism. A quick lookup against Magento_Cms::save string usage, reveals a Magento\Cms\Controller\Adminhtml\Page\Edit class using it as part of its const ADMIN_RESOURCE = 'Magento_Cms::save' definition.

The ADMIN_RESOURCE constant is defined further down the inheritance chain, on the \Magento\Backend\App\AbstractAction as const ADMIN_RESOURCE = 'Magento_Backend::admin'. This is further used by the _isAllowed method implementation as follows:

protected function _isAllowed()
{
  return $this->_authorization->isAllowed(static::ADMIN_RESOURCE);
}

The AbstractAction class here is the basis for pretty much any Magento admin controller. This means that the controller is the one that utilizes the resource defined in acl.xml, whereas definitions in acl.xml serve the purpose of building the ACL tree, which we can manage from the Magento admin interface. This means that anyone trying to access the cms/page/edit URL in admin must have a Magento_Cms::save resource permission to do so. Otherwise, the _isAllowed method, reading the ADMIN_RESOURCE value, will return false and forbid access to the page.

Web APIs, on the other hand, don't use controllers, so there is no access to the ADMIN_RESOURCE constant and the _isAllowed method. APIs use webapi.xml to define routes. Let's follow up with the CMS page save analogue, as per the <MAGENTO_DIR>/module-cms/etc/webapi.xml file:

<routes>
  <route url="/V1/cmsPage" method="POST">
    <service class="Magento\Cms\Api\PageRepositoryInterface" method="save"/>
    <resources>
      <resource ref="Magento_Cms::page"/>
    </resources>
  </route>
  <route url="/V1/cmsPage/:id" method="PUT">
    <service class="Magento\Cms\Api\PageRepositoryInterface" method="save"/>
    <resources>
      <resource ref="Magento_Cms::page"/>
    </resources>
  </route>
</routes>

The individual route definition binds together a few things. The url and method argument of a route element specify what URL will trigger this route. The class and method arguments of a service element specify which interface and method on that interface will execute once the route is triggered. Finally, the ref argument of a resource element specifies the security check to be executed. If a user executing a web API call is unauthenticated or authenticated with a role that does not have Magento_Cms::page, the request won't execute the service method specified.

The customer type of user is the most convenient for working with widgets. The Magento checkout is an excellent example of that. The whole checkout is a fully AJAX-enabled app on its own, separate from the usual Magento storefront, such as its CMS, category, and product pages.