Security changes from upstream 2.4.7-p1 (#98)

* Security changes from upstream 2.4.7-p1

Author: rhoerr

.github/workflows/coding-standard-baseline.yml

@@ -1,8 +1,7 @@
 name: Coding Standard With Baseline
 on:
   pull_request:
-    branches:
-      - 2.4-develop
+    branches: ["**"]
 permissions:
   contents: read
 jobs:

.github/workflows/nx-integration-tests.yml

@@ -2,8 +2,7 @@ name: Integration Tests (Using Nx)
 run-name: ${{ github.actor }} is running Integration Tests
 on:
   pull_request:
-    branches:
-      - 2.4-develop
+    branches: ["**"]
 
 permissions:
   contents: write

.github/workflows/unit-tests.yml

@@ -2,8 +2,7 @@ name: Unit Tests
 run-name: ${{ github.actor }} is running Unit Tests
 on:
   pull_request:
-    branches:
-      - 2.4-develop
+    branches: ["**"]
 
 permissions:
   contents: write

app/code/Magento/Catalog/Test/Mftf/Test/AdminApplyTierPriceToProductTest/StoreFrontDeleteProductImagesAssignedDifferentRolesTest.xml

@@ -77,7 +77,7 @@
             <!-- Go to the product page on StoreFront and see the Base image -->
             <amOnPage url="{{StorefrontProductPage.url($simpleProductOne.custom_attributes[url_key]$)}}" stepKey="goToProductPage"/>
             <waitForPageLoad stepKey="waitForPageLoad"/>
-            <seeElement selector="{{StorefrontProductMediaSection.imageFile('/adobe-base')}}" stepKey="seeBaseImageOnProductPage"/>
+            <waitForElementVisible selector="{{StorefrontProductMediaSection.imageFile('/adobe-base')}}" stepKey="seeBaseImageOnProductPage"/>
             <!-- Go to the category page and see the Small image -->
             <amOnPage url="{{StorefrontCategoryPage.url($testCategory.custom_attributes[url_key]$)}}" stepKey="goToCategoryPage"/>
             <waitForPageLoad stepKey="waitForPageLoadingToFinish"/>

app/code/Magento/Customer/Model/Plugin/UpdateCustomer.php

@@ -52,14 +52,19 @@ public function beforeSave(
         CustomerInterface $customer,
         ?string $passwordHash = null
     ): array {
-        $customerSessionId = $this->userContext->getUserType() === $this->userContext::USER_TYPE_CUSTOMER ?
-                             (int)$this->userContext->getUserId() : 0;
+        $userType = $this->userContext->getUserType();
+        $customerSessionId = (int)$this->userContext->getUserId();
         $customerId = (int)$this->request->getParam('customerId');
         $bodyParams = $this->request->getBodyParams();
-        if (!isset($bodyParams['customer']['Id']) && $customerId) {
-            if ($customerId === $customerSessionId || $customerSessionId === 0) {
-                $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
-            }
+
+        if ($userType === UserContextInterface::USER_TYPE_CUSTOMER &&
+            !isset($bodyParams['customer']['Id']) &&
+            $customerId &&
+            $customerId === $customerSessionId
+        ) {
+            $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
+        } elseif ($userType === UserContextInterface::USER_TYPE_ADMIN && $customerId) {
+            $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
         }
 
         return [$customer, $passwordHash];

app/code/Magento/Customer/Plugin/Webapi/Controller/Rest/ValidateCustomerData.php

@@ -31,9 +31,6 @@
             </argument>
         </arguments>
     </type>
-    <type name="Magento\Webapi\Controller\Rest\ParamsOverrider">
-        <plugin name="validateCustomerData" type="Magento\Customer\Plugin\Webapi\Controller\Rest\ValidateCustomerData" sortOrder="1" disabled="false" />
-    </type>
     <preference for="Magento\Customer\Api\AccountManagementInterface"
                 type="Magento\Customer\Model\AccountManagementApi" />
 </config>

app/code/Magento/Customer/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateCustomerDataTest.php

@@ -77,10 +77,6 @@ public function assign($cartId, AddressInterface $address, $useForShipping = fal
     {
         /** @var \Magento\Quote\Model\Quote $quote */
         $quote = $this->quoteRepository->getActive($cartId);
-
-        // validate the address
-        $this->addressValidator->validateWithExistingAddress($quote, $address);
-
         $address->setCustomerId($quote->getCustomerId());
         $quote->removeAddress($quote->getBillingAddress()->getId());
         $quote->setBillingAddress($address);

app/code/Magento/Customer/etc/webapi_rest/di.xml

@@ -121,27 +121,6 @@ public function validate(AddressInterface $addressData): bool
         return true;
     }
 
-    /**
-     * Validate Quest Address for guest user
-     *
-     * @param AddressInterface $address
-     * @param CartInterface $cart
-     * @return void
-     * @throws NoSuchEntityException
-     */
-    private function doValidateForGuestQuoteAddress(AddressInterface $address, CartInterface $cart): void
-    {
-        //validate guest cart address
-        if ($address->getId() !== null) {
-            $old = $cart->getAddressById($address->getId());
-            if ($old === false) {
-                throw new NoSuchEntityException(
-                    __('Invalid quote address id %1', $address->getId())
-                );
-            }
-        }
-    }
-
     /**
      * Validate address to be used for cart.
      *
@@ -153,9 +132,6 @@ private function doValidateForGuestQuoteAddress(AddressInterface $address, CartI
      */
     public function validateForCart(CartInterface $cart, AddressInterface $address): void
     {
-        if ($cart->getCustomerIsGuest()) {
-            $this->doValidateForGuestQuoteAddress($address, $cart);
-        }
         $this->doValidate($address, $cart->getCustomerIsGuest() ? null : (int) $cart->getCustomer()->getId());
     }
 
@@ -171,8 +147,8 @@ public function validateWithExistingAddress(CartInterface $cart, AddressInterfac
     {
         // check if address belongs to quote.
         if ($address->getId() !== null) {
-            $old = $cart->getAddressesCollection()->getItemById($address->getId());
-            if ($old === null) {
+            $old = $cart->getAddressById($address->getId());
+            if (empty($old)) {
                 throw new NoSuchEntityException(
                     __('Invalid quote address id %1', $address->getId())
                 );