MAGETWO-37037: Customers information leak via checkout

Ievgen Shakhsuvarov · Ievgen Shakhsuvarov · commit 01441daf6910 · 2015-05-19T16:08:53.000+03:00
diff --git a/app/code/Magento/Multishipping/Model/Checkout/Type/Multishipping.php b/app/code/Magento/Multishipping/Model/Checkout/Type/Multishipping.php
@@ -11,6 +11,7 @@
 use Magento\Customer\Api\AddressRepositoryInterface;
 use Magento\Framework\Pricing\PriceCurrencyInterface;
 use Magento\Sales\Model\Order\Email\Sender\OrderSender;
+use Magento\Framework\Exception\LocalizedException;
 
 /**
  * Multishipping checkout model
@@ -453,6 +454,7 @@ public function setShippingItemsInformation($info)
      *
      * @param int $quoteItemId
      * @param array $data array('qty'=>$qty, 'address'=>$customerAddressId)
+     * @throws \Magento\Framework\Exception\LocalizedException
      * @return \Magento\Multishipping\Model\Checkout\Type\Multishipping
      * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      * @SuppressWarnings(PHPMD.NPathComplexity)
@@ -462,6 +464,11 @@ protected function _addShippingItem($quoteItemId, $data)
         $qty = isset($data['qty']) ? (int)$data['qty'] : 1;
         //$qty       = $qty > 0 ? $qty : 1;
         $addressId = isset($data['address']) ? $data['address'] : false;
+
+        if (!$this->isAddressIdApplicable($addressId)) {
+            throw new LocalizedException(__('Please check shipping address information.'));
+        }
+
         $quoteItem = $this->getQuote()->getItemById($quoteItemId);
 
         if ($addressId && $quoteItem) {
@@ -503,10 +510,14 @@ protected function _addShippingItem($quoteItemId, $data)
      * Reimport customer address info to quote shipping address
      *
      * @param int $addressId customer address id
+     * @throws \Magento\Framework\Exception\LocalizedException
      * @return \Magento\Multishipping\Model\Checkout\Type\Multishipping
      */
     public function updateQuoteCustomerShippingAddress($addressId)
     {
+        if (!$this->isAddressIdApplicable($addressId)) {
+            throw new LocalizedException(__('Please check shipping address information.'));
+        }
         try {
             $address = $this->addressRepository->getById($addressId);
         } catch (\Exception $e) {
@@ -530,10 +541,14 @@ public function updateQuoteCustomerShippingAddress($addressId)
      * Reimport customer billing address to quote
      *
      * @param int $addressId customer address id
+     * @throws \Magento\Framework\Exception\LocalizedException
      * @return \Magento\Multishipping\Model\Checkout\Type\Multishipping
      */
     public function setQuoteCustomerBillingAddress($addressId)
     {
+        if (!$this->isAddressIdApplicable($addressId)) {
+            throw new LocalizedException(__('Please check billing address information.'));
+        }
         try {
             $address = $this->addressRepository->getById($addressId);
         } catch (\Exception $e) {
@@ -931,4 +946,22 @@ public function getCustomer()
     {
         return $this->_customerSession->getCustomerDataObject();
     }
+
+    /**
+     * Check if specified address ID belongs to customer.
+     *
+     * @param $addressId
+     * @return bool
+     */
+    protected function isAddressIdApplicable($addressId)
+    {
+        $applicableAddressIds = array_map(function($address) {
+            /** @var \Magento\Customer\Api\Data\AddressInterface $address */
+            return $address->getId();
+        }, $this->getCustomer()->getAddresses());
+        if (in_array($addressId, $applicableAddressIds)) {
+            return true;
+        }
+        return false;
+    }
 }
diff --git a/app/code/Magento/Multishipping/Test/Unit/Model/Checkout/Type/MultishippingTest.php b/app/code/Magento/Multishipping/Test/Unit/Model/Checkout/Type/MultishippingTest.php
@@ -0,0 +1,261 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Multishipping\Test\Unit\Model\Checkout\Type;
+
+class MultishippingTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\Multishipping\Model\Checkout\Type\Multishipping
+     */
+    protected $model;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $checkoutSessionMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $customerSessionMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $customerMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $quoteMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $helperMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $filterBuilderMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $addressRepositoryMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $searchCriteriaBuilderMock;
+
+    protected function setUp()
+    {
+        $this->checkoutSessionMock = $this->getMock('\Magento\Checkout\Model\Session', [], [], '', false);
+        $this->customerSessionMock = $this->getMock('\Magento\Customer\Model\Session', [], [], '', false);
+        $orderFactoryMock = $this->getMock('\Magento\Sales\Model\OrderFactory', [], [], '', false);
+        $eventManagerMock = $this->getMock('\Magento\Framework\Event\ManagerInterface', [], [], '', false);
+        $scopeConfigMock = $this->getMock('\Magento\Framework\App\Config\ScopeConfigInterface', [], [], '', false);
+        $sessionMock = $this->getMock('\Magento\Framework\Session\Generic', [], [], '', false);
+        $addressFactoryMock = $this->getMock('\Magento\Quote\Model\Quote\AddressFactory', [], [], '', false);
+        $toOrderMock = $this->getMock('\Magento\Quote\Model\Quote\Address\ToOrder', [], [], '', false);
+        $toOrderAddressMock = $this->getMock('\Magento\Quote\Model\Quote\Address\ToOrderAddress', [], [], '', false);
+        $toOrderPaymentMock = $this->getMock('\Magento\Quote\Model\Quote\Payment\ToOrderPayment', [], [], '', false);
+        $toOrderItemMock = $this->getMock('\Magento\Quote\Model\Quote\Item\ToOrderItem', [], [], '', false);
+        $storeManagerMock = $this->getMock('\Magento\Store\Model\StoreManagerInterface', [], [], '', false);
+        $paymentSpecMock = $this->getMock('\Magento\Payment\Model\Method\SpecificationInterface', [], [], '', false);
+        $this->helperMock = $this->getMock('\Magento\Multishipping\Helper\Data', [], [], '', false);
+        $orderSenderMock = $this->getMock('\Magento\Sales\Model\Order\Email\Sender\OrderSender', [], [], '', false);
+        $priceMock = $this->getMock('\Magento\Framework\Pricing\PriceCurrencyInterface', [], [], '', false);
+        $quoteRepositoryMock = $this->getMock('\Magento\Quote\Model\QuoteRepository', [], [], '', false);
+        $this->filterBuilderMock = $this->getMock('\Magento\Framework\Api\FilterBuilder', [], [], '', false);
+        $this->searchCriteriaBuilderMock = $this->getMock(
+            '\Magento\Framework\Api\SearchCriteriaBuilder',
+            [],
+            [],
+            '',
+            false
+        );
+        $this->addressRepositoryMock = $this->getMock(
+            '\Magento\Customer\Api\AddressRepositoryInterface',
+            [],
+            [],
+            '',
+            false
+        );
+
+        /**
+         * This is used to get past _init() which is called in construct.
+         */
+        $data['checkout_session'] = $this->checkoutSessionMock;
+        $this->quoteMock = $this->getMock('\Magento\Quote\Model\Quote', [], [], '', false);
+        $this->customerMock = $this->getMock('\Magento\Customer\Api\Data\CustomerInterface', [], [], '', false);
+        $this->customerMock->expects($this->atLeastOnce())->method('getId')->willReturn(null);
+        $this->checkoutSessionMock->expects($this->atLeastOnce())->method('getQuote')->willReturn($this->quoteMock);
+        $this->customerSessionMock->expects($this->atLeastOnce())->method('getCustomerDataObject')
+            ->willReturn($this->customerMock);
+
+        $this->model = new \Magento\Multishipping\Model\Checkout\Type\Multishipping(
+            $this->checkoutSessionMock,
+            $this->customerSessionMock,
+            $orderFactoryMock,
+            $this->addressRepositoryMock,
+            $eventManagerMock,
+            $scopeConfigMock,
+            $sessionMock,
+            $addressFactoryMock,
+            $toOrderMock,
+            $toOrderAddressMock,
+            $toOrderPaymentMock,
+            $toOrderItemMock,
+            $storeManagerMock,
+            $paymentSpecMock,
+            $this->helperMock,
+            $orderSenderMock,
+            $priceMock,
+            $quoteRepositoryMock,
+            $this->searchCriteriaBuilderMock,
+            $this->filterBuilderMock,
+            $data
+        );
+    }
+
+    public function testSetShippingItemsInformation()
+    {
+        $info = [
+            [
+                1 => [
+                    'qty' => 2,
+                    'address' => 42
+                ]
+            ]
+        ];
+        $customerAddressId = 42;
+
+        $customerAddressMock = $this->getMock('\Magento\Customer\Model\Data\Address', [], [], '', false);
+        $customerAddressMock->expects($this->atLeastOnce())->method('getId')->willReturn($customerAddressId);
+        $customerAddresses = [$customerAddressMock];
+
+        $this->quoteMock->expects($this->once())->method('getAllShippingAddresses')->willReturn([]);
+        $this->checkoutSessionMock->expects($this->any())->method('getQuote')->willReturn($this->quoteMock);
+
+        $this->helperMock->expects($this->once())->method('getMaximumQty')->willReturn(500);
+
+        $this->customerMock->expects($this->once())->method('getAddresses')->willReturn($customerAddresses);
+        $this->quoteMock->expects($this->once())->method('getItemById')->with(array_keys($info[0])[0])
+            ->willReturn(null);
+
+        $this->quoteMock->expects($this->atLeastOnce())->method('getAllItems')->willReturn([]);
+
+        $this->filterBuilderMock->expects($this->atLeastOnce())->method('setField')->willReturnSelf();
+        $this->filterBuilderMock->expects($this->atLeastOnce())->method('setValue')->willReturnSelf();
+        $this->filterBuilderMock->expects($this->atLeastOnce())->method('setConditionType')->willReturnSelf();
+        $this->filterBuilderMock->expects($this->atLeastOnce())->method('create')->willReturnSelf();
+
+        $searchCriteriaMock = $this->getMock('\Magento\Framework\Api\SearchCriteria', [], [], '', false);
+        $this->searchCriteriaBuilderMock->expects($this->atLeastOnce())->method('addFilter')->willReturnSelf();
+        $this->searchCriteriaBuilderMock->expects($this->atLeastOnce())->method('create')
+            ->willReturn($searchCriteriaMock);
+
+        $resultMock = $this->getMock('\Magento\Customer\Api\Data\AddressSearchResultsInterface', [], [], '', false);
+        $this->addressRepositoryMock->expects($this->atLeastOnce())->method('getList')->willReturn($resultMock);
+        $addressItemMock = $this->getMock('\Magento\Customer\Api\Data\AddressInterface', [], [], '', false);
+        $resultMock->expects($this->atLeastOnce())->method('getItems')->willReturn([$addressItemMock]);
+        $addressItemMock->expects($this->atLeastOnce())->method('getId')->willReturn(null);
+
+        $this->assertEquals($this->model, $this->model->setShippingItemsInformation($info));
+    }
+
+    /**
+     * @expectedException \Magento\Framework\Exception\LocalizedException
+     * @expectedExceptionMessage Please check shipping address information.
+     */
+    public function testSetShippingItemsInformationForAddressLeak()
+    {
+        $info = [
+            [
+                1 => [
+                    'qty' => 2,
+                    'address' => 43
+                ]
+            ]
+        ];
+        $customerAddressId = 42;
+
+        $customerAddressMock = $this->getMock('\Magento\Customer\Model\Data\Address', [], [], '', false);
+        $customerAddressMock->expects($this->atLeastOnce())->method('getId')->willReturn($customerAddressId);
+        $customerAddresses = [$customerAddressMock];
+
+        $this->quoteMock->expects($this->once())->method('getAllShippingAddresses')->willReturn([]);
+        $this->checkoutSessionMock->expects($this->any())->method('getQuote')->willReturn($this->quoteMock);
+        $this->helperMock->expects($this->once())->method('getMaximumQty')->willReturn(500);
+        $this->customerMock->expects($this->once())->method('getAddresses')->willReturn($customerAddresses);
+
+        $this->assertEquals($this->model, $this->model->setShippingItemsInformation($info));
+    }
+
+    public function testupdateQuoteCustomerShippingAddress()
+    {
+        $addressId = 42;
+        $customerAddressId = 42;
+
+        $customerAddressMock = $this->getMock('\Magento\Customer\Model\Data\Address', [], [], '', false);
+        $customerAddressMock->expects($this->atLeastOnce())->method('getId')->willReturn($customerAddressId);
+        $customerAddresses = [$customerAddressMock];
+        $this->customerMock->expects($this->once())->method('getAddresses')->willReturn($customerAddresses);
+
+        $this->addressRepositoryMock->expects($this->once())->method('getById')->willReturn(null);
+
+        $this->assertEquals($this->model, $this->model->updateQuoteCustomerShippingAddress($addressId));
+    }
+
+    /**
+     * @expectedException \Magento\Framework\Exception\LocalizedException
+     * @expectedExceptionMessage Please check shipping address information.
+     */
+    public function testupdateQuoteCustomerShippingAddressForAddressLeak()
+    {
+        $addressId = 43;
+        $customerAddressId = 42;
+
+        $customerAddressMock = $this->getMock('\Magento\Customer\Model\Data\Address', [], [], '', false);
+        $customerAddressMock->expects($this->atLeastOnce())->method('getId')->willReturn($customerAddressId);
+        $customerAddresses = [$customerAddressMock];
+        $this->customerMock->expects($this->once())->method('getAddresses')->willReturn($customerAddresses);
+
+        $this->assertEquals($this->model, $this->model->updateQuoteCustomerShippingAddress($addressId));
+    }
+
+    public function testSetQuoteCustomerBillingAddress()
+    {
+        $addressId = 42;
+        $customerAddressId = 42;
+
+        $customerAddressMock = $this->getMock('\Magento\Customer\Model\Data\Address', [], [], '', false);
+        $customerAddressMock->expects($this->atLeastOnce())->method('getId')->willReturn($customerAddressId);
+        $customerAddresses = [$customerAddressMock];
+        $this->customerMock->expects($this->once())->method('getAddresses')->willReturn($customerAddresses);
+
+        $this->assertEquals($this->model, $this->model->setQuoteCustomerBillingAddress($addressId));
+    }
+
+    /**
+     * @expectedException \Magento\Framework\Exception\LocalizedException
+     * @expectedExceptionMessage Please check billing address information.
+     */
+    public function testSetQuoteCustomerBillingAddressForAddressLeak()
+    {
+        $addressId = 43;
+        $customerAddressId = 42;
+
+        $customerAddressMock = $this->getMock('\Magento\Customer\Model\Data\Address', [], [], '', false);
+        $customerAddressMock->expects($this->atLeastOnce())->method('getId')->willReturn($customerAddressId);
+        $customerAddresses = [$customerAddressMock];
+        $this->customerMock->expects($this->once())->method('getAddresses')->willReturn($customerAddresses);
+
+        $this->assertEquals($this->model, $this->model->setQuoteCustomerBillingAddress($addressId));
+    }
+}
diff --git a/app/code/Magento/Multishipping/i18n/en_US.csv b/app/code/Magento/Multishipping/i18n/en_US.csv
@@ -44,6 +44,7 @@ Change,Change
 "Please check shipping addresses information.","Please check shipping addresses information."
 "Please specify shipping methods for all addresses.","Please specify shipping methods for all addresses."
 "Please check billing address information.","Please check billing address information."
+"Please check shipping address information.","Please check shipping address information."
 "Select Addresses","Select Addresses"
 "Order Success","Order Success"
 "Default Billing","Default Billing"
