Added user permission check

rogyar · rogyar · commit 0cf59de0e706 · 2018-11-02T11:33:02.000+02:00
diff --git a/app/code/Magento/QuoteGraphQl/Model/Resolver/CartAddress.php b/app/code/Magento/QuoteGraphQl/Model/Resolver/CartAddress.php
@@ -10,11 +10,13 @@
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\GraphQl\Config\Element\Field;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
 use Magento\Framework\GraphQl\Exception\GraphQlNoSuchEntityException;
 use Magento\Framework\GraphQl\Query\ResolverInterface;
 use Magento\Framework\GraphQl\Schema\Type\ResolveInfo;
 use Magento\Quote\Api\CartRepositoryInterface;
 use Magento\Quote\Model\MaskedQuoteIdToQuoteId;
+use Magento\QuoteGraphQl\Model\Authorization\IsCartMutationAllowedForCurrentUser;
 use Magento\QuoteGraphQl\Model\Resolver\Address\AddressDataProvider;
 
 /**
@@ -27,6 +29,11 @@ class CartAddress implements ResolverInterface
      */
     private $addressDataProvider;
 
+    /**
+     * @var IsCartMutationAllowedForCurrentUser
+     */
+    private $isCartMutationAllowedForCurrentUser;
+
     /**
      * @var CartRepositoryInterface
      */
@@ -43,36 +50,49 @@ class CartAddress implements ResolverInterface
      * @param MaskedQuoteIdToQuoteId $maskedQuoteIdToQuoteId
      * @param CartRepositoryInterface $cartRepository
      * @param AddressDataProvider $addressDataProvider
+     * @param IsCartMutationAllowedForCurrentUser $isCartMutationAllowedForCurrentUser
      */
     public function __construct(
         MaskedQuoteIdToQuoteId $maskedQuoteIdToQuoteId,
         CartRepositoryInterface $cartRepository,
-        AddressDataProvider $addressDataProvider
+        AddressDataProvider $addressDataProvider,
+        IsCartMutationAllowedForCurrentUser $isCartMutationAllowedForCurrentUser
     ) {
         $this->maskedQuoteIdToQuoteId = $maskedQuoteIdToQuoteId;
         $this->cartRepository = $cartRepository;
         $this->addressDataProvider = $addressDataProvider;
+        $this->isCartMutationAllowedForCurrentUser = $isCartMutationAllowedForCurrentUser;
     }
 
     /**
      * @inheritdoc
      */
     public function resolve(Field $field, $context, ResolveInfo $info, array $value = null, array $args = null)
     {
+        /* The cart_id is used instead of the model because some parent resolvers do not work
+           with cart model */
         if (!isset($value['cart_id'])) {
-            // TODO: consider the possibility to pass quote model instead od quote ID
             throw new LocalizedException(__('"cart_id" value should be specified'));
         }
 
+        $maskedCartId = $value['cart_id'];
+
         try {
-            $quoteId = $this->maskedQuoteIdToQuoteId->execute($value['cart_id']);
+            $quoteId = $this->maskedQuoteIdToQuoteId->execute($maskedCartId);
         } catch (NoSuchEntityException $exception) {
             throw new GraphQlNoSuchEntityException(
-                __('Could not find a cart with ID "%masked_cart_id"', ['masked_cart_id' => $value['cart_id']])
+                __('Could not find a cart with ID "%masked_cart_id"', ['masked_cart_id' => $maskedCartId])
             );
         }
 
-        // TODO: should we check customer permissions here as well?
+        if (false === $this->isCartMutationAllowedForCurrentUser->execute($quoteId)) {
+            throw new GraphQlAuthorizationException(
+                __(
+                    'The current user cannot perform operations on cart "%masked_cart_id"',
+                    ['masked_cart_id' => $maskedCartId]
+                )
+            );
+        }
 
         try {
             $quote = $this->cartRepository->get($quoteId);
diff --git a/app/code/Magento/QuoteGraphQl/Model/Resolver/ShippingMethod/SetShippingMethodsOnCart.php b/app/code/Magento/QuoteGraphQl/Model/Resolver/ShippingMethod/SetShippingMethodsOnCart.php
@@ -72,13 +72,17 @@ class SetShippingMethodsOnCart implements ResolverInterface
      * @param ArrayManager $arrayManager
      * @param MaskedQuoteIdToQuoteIdInterface $maskedQuoteIdToQuoteId
      * @param IsCartMutationAllowedForCurrentUser $isCartMutationAllowedForCurrentUser
+     * @param ShippingInformationManagementInterface $shippingInformationManagement
+     * @param QuoteAddressFactory $quoteAddressFactory
+     * @param QuoteAddressResource $quoteAddressResource
+     * @param ShippingInformationFactory $shippingInformationFactory
      */
     public function __construct(
         ArrayManager $arrayManager,
         MaskedQuoteIdToQuoteIdInterface $maskedQuoteIdToQuoteId,
         IsCartMutationAllowedForCurrentUser $isCartMutationAllowedForCurrentUser,
         ShippingInformationManagementInterface $shippingInformationManagement,
-        QuoteAddressFactory $quoteAddressFacrory,
+        QuoteAddressFactory $quoteAddressFactory,
         QuoteAddressResource $quoteAddressResource,
         ShippingInformationFactory $shippingInformationFactory
     ) {
@@ -88,7 +92,7 @@ public function __construct(
         $this->shippingInformationManagement = $shippingInformationManagement;
 
         $this->quoteAddressResource = $quoteAddressResource;
-        $this->quoteAddressFactory = $quoteAddressFacrory;
+        $this->quoteAddressFactory = $quoteAddressFactory;
         $this->shippingInformationFactory = $shippingInformationFactory;
     }
 
