MAGETWO-96010: [2.2] Restricted admin still able to send order comment email modifying POST request

SeruyV · SeruyV · commit 285c6f4644ed · 2019-01-16T11:25:10.000+02:00
- Controller fix

- Added Unit test
diff --git a/app/code/Magento/Sales/Controller/Adminhtml/Order/AddComment.php b/app/code/Magento/Sales/Controller/Adminhtml/Order/AddComment.php
@@ -9,17 +9,27 @@
 use Magento\Backend\App\Action;
 use Magento\Sales\Model\Order\Email\Sender\OrderCommentSender;
 
+/**
+ * Controller to execute Adding Comments.
+ */
 class AddComment extends \Magento\Sales\Controller\Adminhtml\Order
 {
     /**
-     * Authorization level of a basic admin session
+     * Authorization level of a basic admin session.
      *
      * @see _isAllowed()
      */
     const ADMIN_RESOURCE = 'Magento_Sales::comment';
 
     /**
-     * Add order comment action
+     * ACL resource needed to send comment email notification.
+     *
+     * @see _isAllowed()
+     */
+    const ADMIN_SALES_EMAIL_RESOURCE = 'Magento_Sales::emails';
+
+    /**
+     * Add order comment action.
      *
      * @return \Magento\Framework\Controller\ResultInterface
      */
@@ -33,8 +43,12 @@ public function execute()
                     throw new \Magento\Framework\Exception\LocalizedException(__('Please enter a comment.'));
                 }
 
-                $notify = isset($data['is_customer_notified']) ? $data['is_customer_notified'] : false;
-                $visible = isset($data['is_visible_on_front']) ? $data['is_visible_on_front'] : false;
+                $notify = $data['is_customer_notified'] ?? false;
+                $visible = $data['is_visible_on_front'] ?? false;
+
+                if ($notify && !$this->_authorization->isAllowed(self::ADMIN_SALES_EMAIL_RESOURCE)) {
+                    $notify = false;
+                }
 
                 $history = $order->addStatusHistoryComment($data['comment'], $data['status']);
                 $history->setIsVisibleOnFront($visible);
@@ -59,9 +73,11 @@ public function execute()
             if (is_array($response)) {
                 $resultJson = $this->resultJsonFactory->create();
                 $resultJson->setData($response);
+
                 return $resultJson;
             }
         }
+
         return $this->resultRedirectFactory->create()->setPath('sales/*/');
     }
 }
diff --git a/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/AddCommentTest.php b/app/code/Magento/Sales/Test/Unit/Controller/Adminhtml/Order/AddCommentTest.php
@@ -0,0 +1,185 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Sales\Test\Unit\Controller\Adminhtml\Order;
+
+/**
+ * Test for AddComment.
+ *
+ */
+class AddCommentTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @var \Magento\Sales\Controller\Adminhtml\Order\AddComment
+     */
+    private $addCommentController;
+
+    /**
+     * @var \Magento\Backend\App\Action\Context|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $contextMock;
+
+    /**
+     * @var \Magento\Sales\Model\Order|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $orderMock;
+
+    /**
+     * @var \Magento\Backend\Model\View\Result\RedirectFactory|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $resultRedirectFactoryMock;
+
+    /**
+     * @var \Magento\Backend\Model\View\Result\Redirect|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $resultRedirectMock;
+
+    /**
+     * @var \Magento\Framework\App\Request\Http|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $requestMock;
+
+    /**
+     * @var \Magento\Sales\Api\OrderRepositoryInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $orderRepositoryMock;
+
+    /**
+     * @var \Magento\Framework\AuthorizationInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $authorizationMock;
+
+    /**
+     * @var \Magento\Sales\Model\Order\Status\History|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $statusHistoryCommentMock;
+
+    /**
+     * @var \Magento\Framework\ObjectManagerInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $objectManagerMock;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $this->contextMock = $this->createMock(\Magento\Backend\App\Action\Context::class);
+        $this->requestMock = $this->createMock(\Magento\Framework\App\Request\Http::class);
+        $this->orderRepositoryMock = $this->createMock(\Magento\Sales\Api\OrderRepositoryInterface::class);
+        $this->orderMock = $this->createMock(\Magento\Sales\Model\Order::class);
+        $this->resultRedirectFactoryMock = $this->createMock(\Magento\Backend\Model\View\Result\RedirectFactory::class);
+        $this->resultRedirectMock = $this->createMock(\Magento\Backend\Model\View\Result\Redirect::class);
+        $this->authorizationMock = $this->createMock(\Magento\Framework\AuthorizationInterface::class);
+        $this->statusHistoryCommentMock = $this->createMock(\Magento\Sales\Model\Order\Status\History::class);
+        $this->objectManagerMock = $this->createMock(\Magento\Framework\ObjectManagerInterface::class);
+
+        $this->contextMock->expects($this->once())->method('getRequest')->willReturn($this->requestMock);
+
+        $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+        $this->addCommentController = $objectManagerHelper->getObject(
+            \Magento\Sales\Controller\Adminhtml\Order\AddComment::class,
+            [
+                'context' => $this->contextMock,
+                'orderRepository' => $this->orderRepositoryMock,
+                '_authorization' => $this->authorizationMock,
+                '_objectManager' => $this->objectManagerMock,
+            ]
+        );
+    }
+
+    /**
+     * Test for execute method with different data.
+     *
+     * @param array $historyData
+     * @param bool $userHasResource
+     * @param bool $expectedNotify
+     *
+     * @return void
+     * @dataProvider executeWillNotifyCustomerDataProvider
+     */
+    public function testExecuteWillNotifyCustomer(array $historyData, bool $userHasResource, bool $expectedNotify)
+    {
+        $orderId = 30;
+        $this->requestMock->expects($this->once())->method('getParam')->with('order_id')->willReturn($orderId);
+        $this->orderRepositoryMock->expects($this->once())
+            ->method('get')
+            ->willReturn($this->orderMock);
+        $this->requestMock->expects($this->once())->method('getPost')->with('history')->willReturn($historyData);
+        $this->authorizationMock->expects($this->any())->method('isAllowed')->willReturn($userHasResource);
+        $this->orderMock->expects($this->once())
+            ->method('addStatusHistoryComment')
+            ->willReturn($this->statusHistoryCommentMock);
+        $this->statusHistoryCommentMock->expects($this->once())->method('setIsCustomerNotified')->with($expectedNotify);
+        $this->objectManagerMock->expects($this->once())->method('create')->willReturn(
+            $this->createMock(\Magento\Sales\Model\Order\Email\Sender\OrderCommentSender::class)
+        );
+
+        $this->addCommentController->execute();
+    }
+
+    /**
+     * Data provider for testExecuteWillNotifyCustomer method.
+     *
+     * @return array
+     */
+    public function executeWillNotifyCustomerDataProvider(): array
+    {
+        return [
+            'User Has Access - Notify True' => [
+                'postData' => [
+                    'comment' => 'Great Product!',
+                    'is_customer_notified' => true,
+                    'status' => 'Processing',
+                ],
+                'userHasResource' => true,
+                'expectedNotify' => true,
+            ],
+            'User Has Access - Notify False' => [
+                'postData' => [
+                    'comment' => 'Great Product!',
+                    'is_customer_notified' => false,
+                    'status' => 'Processing',
+                ],
+                'userHasResource' => true,
+                'expectedNotify' => false,
+            ],
+            'User Has Access - Notify Unset' => [
+                'postData' => [
+                    'comment' => 'Great Product!',
+                    'status' => 'Processing',
+                ],
+                'userHasResource' => true,
+                'expectedNotify' => false,
+            ],
+            'User No Access - Notify True' => [
+                'postData' => [
+                    'comment' => 'Great Product!',
+                    'is_customer_notified' => true,
+                    'status' => 'Processing',
+                ],
+                'userHasResource' => false,
+                'expectedNotify' => false,
+            ],
+            'User No Access - Notify False' => [
+                'postData' => [
+                    'comment' => 'Great Product!',
+                    'is_customer_notified' => false,
+                    'status' => 'Processing',
+                ],
+                'userHasResource' => false,
+                'expectedNotify' => false,
+            ],
+            'User No Access - Notify Unset' => [
+                'postData' => [
+                    'comment' => 'Great Product!',
+                    'status' => 'Processing',
+                ],
+                'userHasResource' => false,
+                'expectedNotify' => false,
+            ],
+        ];
+    }
+}
