Security changes from upstream 2.4.7-p1

mage-os · Jun 26, 2024 · 200b4e6 · 200b4e6
1 parent db41a69
commit 200b4e6
Show file tree

Hide file tree

Showing 24 changed files with 253 additions and 528 deletions.
diff --git a/app/code/Magento/Customer/Model/Plugin/UpdateCustomer.php b/app/code/Magento/Customer/Model/Plugin/UpdateCustomer.php
@@ -52,14 +52,19 @@ public function beforeSave(
         CustomerInterface $customer,
         ?string $passwordHash = null
     ): array {
-        $customerSessionId = $this->userContext->getUserType() === $this->userContext::USER_TYPE_CUSTOMER ?
-                             (int)$this->userContext->getUserId() : 0;
+        $userType = $this->userContext->getUserType();
+        $customerSessionId = (int)$this->userContext->getUserId();
         $customerId = (int)$this->request->getParam('customerId');
         $bodyParams = $this->request->getBodyParams();
-        if (!isset($bodyParams['customer']['Id']) && $customerId) {
-            if ($customerId === $customerSessionId || $customerSessionId === 0) {
-                $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
-            }
+
+        if ($userType === UserContextInterface::USER_TYPE_CUSTOMER &&
+            !isset($bodyParams['customer']['Id']) &&
+            $customerId &&
+            $customerId === $customerSessionId
+        ) {
+            $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
+        } elseif ($userType === UserContextInterface::USER_TYPE_ADMIN && $customerId) {
+            $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
         }
 
         return [$customer, $passwordHash];

diff --git a/app/code/Magento/Customer/Plugin/Webapi/Controller/Rest/ValidateCustomerData.php b/app/code/Magento/Customer/Plugin/Webapi/Controller/Rest/ValidateCustomerData.php
diff --git a/...ode/Magento/Customer/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateCustomerDataTest.php b/...ode/Magento/Customer/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateCustomerDataTest.php
diff --git a/app/code/Magento/Customer/etc/webapi_rest/di.xml b/app/code/Magento/Customer/etc/webapi_rest/di.xml
@@ -31,9 +31,6 @@
             </argument>
         </arguments>
     </type>
-    <type name="Magento\Webapi\Controller\Rest\ParamsOverrider">
-        <plugin name="validateCustomerData" type="Magento\Customer\Plugin\Webapi\Controller\Rest\ValidateCustomerData" sortOrder="1" disabled="false" />
-    </type>
     <preference for="Magento\Customer\Api\AccountManagementInterface"
                 type="Magento\Customer\Model\AccountManagementApi" />
 </config>
diff --git a/app/code/Magento/Quote/Model/BillingAddressManagement.php b/app/code/Magento/Quote/Model/BillingAddressManagement.php
@@ -77,10 +77,6 @@ public function assign($cartId, AddressInterface $address, $useForShipping = fal
     {
         /** @var \Magento\Quote\Model\Quote $quote */
         $quote = $this->quoteRepository->getActive($cartId);
-
-        // validate the address
-        $this->addressValidator->validateWithExistingAddress($quote, $address);
-
         $address->setCustomerId($quote->getCustomerId());
         $quote->removeAddress($quote->getBillingAddress()->getId());
         $quote->setBillingAddress($address);

diff --git a/app/code/Magento/Quote/Model/QuoteAddressValidator.php b/app/code/Magento/Quote/Model/QuoteAddressValidator.php
@@ -121,27 +121,6 @@ public function validate(AddressInterface $addressData): bool
         return true;
     }
 
-    /**
-     * Validate Quest Address for guest user
-     *
-     * @param AddressInterface $address
-     * @param CartInterface $cart
-     * @return void
-     * @throws NoSuchEntityException
-     */
-    private function doValidateForGuestQuoteAddress(AddressInterface $address, CartInterface $cart): void
-    {
-        //validate guest cart address
-        if ($address->getId() !== null) {
-            $old = $cart->getAddressById($address->getId());
-            if ($old === false) {
-                throw new NoSuchEntityException(
-                    __('Invalid quote address id %1', $address->getId())
-                );
-            }
-        }
-    }
-
     /**
      * Validate address to be used for cart.
      *
@@ -153,9 +132,6 @@ private function doValidateForGuestQuoteAddress(AddressInterface $address, CartI
      */
     public function validateForCart(CartInterface $cart, AddressInterface $address): void
     {
-        if ($cart->getCustomerIsGuest()) {
-            $this->doValidateForGuestQuoteAddress($address, $cart);
-        }
         $this->doValidate($address, !$cart->getCustomer()->getId() ? null : (int) $cart->getCustomer()->getId());
     }
 
@@ -171,8 +147,8 @@ public function validateWithExistingAddress(CartInterface $cart, AddressInterfac
     {
         // check if address belongs to quote.
         if ($address->getId() !== null) {
-            $old = $cart->getAddressesCollection()->getItemById($address->getId());
-            if ($old === null) {
+            $old = $cart->getAddressById($address->getId());
+            if (empty($old)) {
                 throw new NoSuchEntityException(
                     __('Invalid quote address id %1', $address->getId())
                 );

diff --git a/app/code/Magento/Quote/Plugin/QuoteAddress.php b/app/code/Magento/Quote/Plugin/QuoteAddress.php
@@ -0,0 +1,67 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Quote\Plugin;
+
+use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Quote\Model\Quote;
+use Magento\Quote\Api\Data\AddressInterface;
+use Magento\Quote\Model\QuoteAddressValidator;
+
+/**
+ * Quote address plugin
+ */
+class QuoteAddress
+{
+    /**
+     * @var QuoteAddressValidator
+     */
+    protected QuoteAddressValidator $addressValidator;
+
+    /**
+     * @param QuoteAddressValidator $addressValidator
+     */
+    public function __construct(
+        QuoteAddressValidator $addressValidator
+    ) {
+        $this->addressValidator = $addressValidator;
+    }
+
+    /**
+     * Validate address before setting billing address
+     *
+     * @param Quote $subject
+     * @param AddressInterface|null $address
+     * @return array
+     * @throws NoSuchEntityException
+     */
+    public function beforeSetBillingAddress(Quote $subject, AddressInterface $address = null): array
+    {
+        if ($address !== null) {
+            $this->addressValidator->validateWithExistingAddress($subject, $address);
+        }
+
+        return [$address];
+    }
+
+    /**
+     * Validate address before setting shipping address
+     *
+     * @param Quote $subject
+     * @param AddressInterface|null $address
+     * @return array
+     * @throws NoSuchEntityException
+     */
+    public function beforeSetShippingAddress(Quote $subject, AddressInterface $address = null): array
+    {
+        if ($address !== null) {
+            $this->addressValidator->validateWithExistingAddress($subject, $address);
+        }
+
+        return [$address];
+    }
+}