Selecting Account throws an error on Opportunity create page

[yaroslavbr]

Summary
Receiving notification on UI "You do not have permission to perform this action"
while trying to select an Account on Opportunity create page. When Customer entity capabilities are disabled for the
current user role (Please look at the detailed STR). This is caused because SalesBundle\Controller\AutocompleteController called but there are no appropriate permissions in this case.

This is in log file:

security.DEBUG: Access denied, the user is neither anonymous, nor remember-me. {"exception":"[object] (Symfony\Component\Security\Core\Exception\AccessDeniedException(code: 403): Access denied to Oro\Bundle\SalesBundle\Controller\AutocompleteController::autocompleteCustomersAction. at /vendor/oro/platform/src/Oro/Bundle/SecurityBundle/EventListener/ControllerListener.php:66)"} []

request.WARNING: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "Access denied to Oro\Bundle\SalesBundle\Controller\AutocompleteController::autocompleteCustomersAction." at vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php line 137 {"exception":"[object] (Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException(code: 0): Access denied to Oro\Bundle\SalesBundle\Controller\AutocompleteController::autocompleteCustomersAction. at vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php:137, Symfony\Component\Security\Core\Exception\AccessDeniedException(code: 403): Access denied to Oro\Bundle\SalesBundle\Controller\AutocompleteController::autocompleteCustomersAction. at /vendor/oro/platform/src/Oro/Bundle/SecurityBundle/EventListener/ControllerListener.php:66)"} []

Steps to reproduce

• Disable all Customer capabilities for a certain role. Account capabilities remain enabled.
• Login by the user with same role
• Create an Account record if there is no
• Go to the Opportunity create page
• To select an Account click on "hamburger" button. Grid is shown in popup with appropriate records.
• Click on Account record

Actual Result
Notification is shown "You do not have permission to perform this action". Selected account did not appear in the form field. What interesting Account will be assigned and saved if click Save btn.

Expected Result
Selected account should be assigned to the field with no error notification.

Details about your environment

• OroCommerce 4.1.11
• PHP version: 7.4
• Database (MySQL, PostgreSQL) version: 8

[yaroslavbr]

btw, it seems should be addressed to the CRM actually

[mbessolov]

@yaroslavbr thank you for the report!

(internal reference: CRM-9232)

[manowark]

The bug is not related to the permissions of the Customer entity. It can be reproduced when the Serch capability is disabled in the role.