cia-2.4.7-beta1-bugfixes-02162023

 Merge branch 'AC-7832' into cia-2.4.7-beta1-develop-bugfixes-02162023

Author: pawan-adobe-security

app/code/Magento/QuoteGraphQl/Model/Resolver/RemoveItemFromCart.php

@@ -86,6 +86,8 @@ public function resolve(Field $field, $context, ResolveInfo $info, array $value
         $itemId = $processedArgs['input']['cart_item_id'];
 
         $storeId = (int)$context->getExtensionAttributes()->getStore()->getId();
+        /** Check if the current user is allowed to perform actions with the cart */
+        $cart = $this->getCartForUser->execute($maskedCartId, $context->getUserId(), $storeId);
 
         try {
             $this->cartItemRepository->deleteById($cartId, $itemId);
@@ -95,7 +97,6 @@ public function resolve(Field $field, $context, ResolveInfo $info, array $value
             throw new GraphQlInputException(__($e->getMessage()), $e);
         }
 
-        $cart = $this->getCartForUser->execute($maskedCartId, $context->getUserId(), $storeId);
         return [
             'cart' => [
                 'model' => $cart,

dev/tests/api-functional/testsuite/Magento/GraphQl/Quote/Customer/RemoveItemFromCartTest.php

@@ -11,6 +11,7 @@
 use Magento\GraphQl\Quote\GetQuoteItemIdByReservedQuoteIdAndSku;
 use Magento\Integration\Api\CustomerTokenServiceInterface;
 use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException;
 use Magento\TestFramework\TestCase\GraphQlAbstract;
 
 /**
@@ -147,13 +148,56 @@ public function testRemoveItemFromAnotherCustomerCart()
             'test_quote',
             'simple_product'
         );
+        $query = $this->getQuery($anotherCustomerQuoteMaskedId, $anotherCustomerQuoteItemId);
 
-        $this->expectExceptionMessage(
-            "The current user cannot perform operations on cart \"$anotherCustomerQuoteMaskedId\""
-        );
+        try {
+            $this->graphQlMutation(
+                $query,
+                [],
+                '',
+                $this->getHeaderMap('customer2@search.example.com')
+            );
+            $this->fail('ResponseContainsErrorsException was not thrown');
+        } catch (ResponseContainsErrorsException $e) {
+            $this->assertStringContainsString(
+                "The current user cannot perform operations on cart \"$anotherCustomerQuoteMaskedId\"",
+                $e->getMessage()
+            );
+            $cartQuery = $this->getCartQuery($anotherCustomerQuoteMaskedId);
+            $cart = $this->graphQlQuery(
+                $cartQuery,
+                [],
+                '',
+                $this->getHeaderMap('customer@search.example.com')
+            );
+            $this->assertTrue(count($cart['cart']['items']) > 0, 'The cart is empty');
+            $this->assertTrue(
+                $cart['cart']['items'][0]['product']['sku'] === 'simple_product',
+                'The cart doesn\'t contain product'
+            );
+        }
+    }
 
-        $query = $this->getQuery($anotherCustomerQuoteMaskedId, $anotherCustomerQuoteItemId);
-        $this->graphQlMutation($query, [], '', $this->getHeaderMap('customer2@search.example.com'));
+    /**
+     * @param string $maskedQuoteId
+     * @return string
+     */
+    private function getCartQuery(string $maskedQuoteId): string
+    {
+        return <<<QUERY
+{
+  cart(cart_id: "{$maskedQuoteId}") {
+    id
+    items {
+      id
+      quantity
+      product {
+        sku
+      }
+    }
+  }
+}
+QUERY;
     }
 
     /**