magento
diff --git a/‎app/code/Magento/Customer/Model/Customer/Authorization.php
Lines changed: 82 additions & 0 deletions b/‎app/code/Magento/Customer/Model/Customer/Authorization.php
Lines changed: 82 additions & 0 deletions
diff --git a/‎app/code/Magento/Customer/Model/Customer/AuthorizationComposite.php
Lines changed: 50 additions & 0 deletions b/‎app/code/Magento/Customer/Model/Customer/AuthorizationComposite.php
Lines changed: 50 additions & 0 deletions
diff --git a/‎app/code/Magento/Customer/Model/Plugin/CustomerAuthorization.php
Lines changed: 19 additions & 57 deletions b/‎app/code/Magento/Customer/Model/Plugin/CustomerAuthorization.php
Lines changed: 19 additions & 57 deletions
diff --git a/‎app/code/Magento/Customer/etc/webapi_rest/di.xml
Lines changed: 9 additions & 0 deletions b/‎app/code/Magento/Customer/etc/webapi_rest/di.xml
Lines changed: 9 additions & 0 deletions
diff --git a/‎app/code/Magento/Customer/etc/webapi_soap/di.xml
Lines changed: 9 additions & 0 deletions b/‎app/code/Magento/Customer/etc/webapi_soap/di.xml
Lines changed: 9 additions & 0 deletions
diff --git a/‎app/code/Magento/Persistent/Model/Customer/Authorization.php
Lines changed: 58 additions & 0 deletions b/‎app/code/Magento/Persistent/Model/Customer/Authorization.php
Lines changed: 58 additions & 0 deletions
@@ -0,0 +1,82 @@
+<?php
+/**
+ *
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Model\Customer;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Model\CustomerFactory;
+use Magento\Customer\Model\ResourceModel\Customer as CustomerResource;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Integration\Api\AuthorizationServiceInterface as AuthorizationService;
+use Magento\Store\Model\StoreManagerInterface;
+
+/**
+ * Checks if customer is logged in and authorized in the current store
+ */
+class Authorization implements AuthorizationInterface
+{
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
+    /**
+     * @var CustomerFactory
+     */
+    private $customerFactory;
+
+    /**
+     * @var CustomerResource
+     */
+    private $customerResource;
+
+    /**
+     * @var StoreManagerInterface
+     */
+    private $storeManager;
+
+    /**
+     * Authorization constructor.
+     *
+     * @param UserContextInterface $userContext
+     * @param CustomerFactory $customerFactory
+     * @param CustomerResource $customerResource
+     * @param StoreManagerInterface $storeManager
+     */
+    public function __construct(
+        UserContextInterface $userContext,
+        CustomerFactory $customerFactory,
+        CustomerResource $customerResource,
+        StoreManagerInterface $storeManager
+    ) {
+        $this->userContext = $userContext;
+        $this->customerFactory = $customerFactory;
+        $this->customerResource = $customerResource;
+        $this->storeManager = $storeManager;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isAllowed($resource, $privilege = null)
+    {
+        if ($resource === AuthorizationService::PERMISSION_SELF
+            && $this->userContext->getUserId()
+            && $this->userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER
+        ) {
+            $customer = $this->customerFactory->create();
+            $this->customerResource->load($customer, $this->userContext->getUserId());
+            $currentStoreId = $this->storeManager->getStore()->getId();
+            $sharedStoreIds = $customer->getSharedStoreIds();
+
+            return in_array($currentStoreId, $sharedStoreIds);
+        }
+
+        return false;
+    }
+}
@@ -0,0 +1,50 @@
+<?php
+/**
+ *
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Model\Customer;
+
+use Magento\Framework\AuthorizationInterface;
+
+/**
+ * Class to invalidate user credentials
+ */
+class AuthorizationComposite implements AuthorizationInterface
+{
+    /**
+     * @var AuthorizationInterface[]
+     */
+    private $authorizationChecks;
+
+    /**
+     * AuthorizationComposite constructor.
+     *
+     * @param AuthorizationInterface[] $authorizationChecks
+     */
+    public function __construct(
+        array $authorizationChecks
+    ) {
+        $this->authorizationChecks = $authorizationChecks;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isAllowed($resource, $privilege = null)
+    {
+        $result = false;
+
+        foreach ($this->authorizationChecks as $authorizationCheck) {
+            $result = $authorizationCheck->isAllowed($resource, $privilege);
+            if (!$result) {
+                break;
+            }
+        }
+
+        return $result;
+    }
+}
@@ -6,11 +6,9 @@
 
 namespace Magento\Customer\Model\Plugin;
 
-use Magento\Authorization\Model\UserContextInterface;
-use Magento\Customer\Model\CustomerFactory;
-use Magento\Customer\Model\ResourceModel\Customer as CustomerResource;
-use Magento\Integration\Api\AuthorizationServiceInterface as AuthorizationService;
-use Magento\Store\Model\StoreManagerInterface;
+use Closure;
+use Magento\Customer\Model\Customer\AuthorizationComposite;
+use Magento\Framework\Authorization;
 
 /**
  * Plugin around \Magento\Framework\Authorization::isAllowed
@@ -20,74 +18,38 @@
 class CustomerAuthorization
 {
     /**
-     * @var UserContextInterface
+     * @var AuthorizationComposite
      */
-    private $userContext;
-
-    /**
-     * @var CustomerFactory
-     */
-    private $customerFactory;
-
-    /**
-     * @var CustomerResource
-     */
-    private $customerResource;
-
-    /**
-     * @var StoreManagerInterface
-     */
-    private $storeManager;
+    private $authorizationComposite;
 
     /**
      * Inject dependencies.
-     *
-     * @param UserContextInterface $userContext
-     * @param CustomerFactory $customerFactory
-     * @param CustomerResource $customerResource
-     * @param StoreManagerInterface $storeManager
+     * @param AuthorizationComposite $composite
      */
     public function __construct(
-        UserContextInterface $userContext,
-        CustomerFactory $customerFactory,
-        CustomerResource $customerResource,
-        StoreManagerInterface $storeManager
+        AuthorizationComposite $composite
     ) {
-        $this->userContext = $userContext;
-        $this->customerFactory = $customerFactory;
-        $this->customerResource = $customerResource;
-        $this->storeManager = $storeManager;
+        $this->authorizationComposite = $composite;
     }
 
     /**
-     * Check if resource for which access is needed has self permissions defined in webapi config.
+     * Verify if to allow customer users to access resources with self permission
      *
-     * @param \Magento\Framework\Authorization $subject
-     * @param callable $proceed
-     * @param string $resource
-     * @param string $privilege
-     *
-     * @return bool true If resource permission is self, to allow
-     * customer access without further checks in parent method
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     * @param Authorization $subject
+     * @param Closure $proceed
+     * @param string $resource
+     * @param mixed $privilege
+     * @return bool
      */
     public function aroundIsAllowed(
-        \Magento\Framework\Authorization $subject,
-        \Closure $proceed,
-        $resource,
+        Authorization $subject,
+        Closure $proceed,
+        string $resource,
         $privilege = null
     ) {
-        if ($resource == AuthorizationService::PERMISSION_SELF
-            && $this->userContext->getUserId()
-            && $this->userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER
-        ) {
-            $customer = $this->customerFactory->create();
-            $this->customerResource->load($customer, $this->userContext->getUserId());
-            $currentStoreId = $this->storeManager->getStore()->getId();
-            $sharedStoreIds = $customer->getSharedStoreIds();
-            if (in_array($currentStoreId, $sharedStoreIds)) {
-                return true;
-            }
+        if ($this->authorizationComposite->isAllowed($resource, $privilege)) {
+            return true;
         }
 
         return $proceed($resource, $privilege);
 
@@ -22,4 +22,13 @@
     <type name="Magento\Customer\Api\CustomerRepositoryInterface">
         <plugin name="updateCustomerByIdFromRequest" type="Magento\Customer\Model\Plugin\UpdateCustomer" />
     </type>
+    <type name="Magento\Customer\Model\Customer\AuthorizationComposite">
+        <arguments>
+            <argument name="authorizationChecks" xsi:type="array">
+                <item name="rest_customer_authorization" xsi:type="object">
+                    Magento\Customer\Model\Customer\Authorization
+                </item>
+            </argument>
+        </arguments>
+    </type>
 </config>
@@ -9,4 +9,13 @@
      <type name="Magento\Framework\Authorization">
         <plugin name="customerAuthorization" type="Magento\Customer\Model\Plugin\CustomerAuthorization" />
     </type>
+    <type name="Magento\Customer\Model\Customer\AuthorizationComposite">
+        <arguments>
+            <argument name="authorizationChecks" xsi:type="array">
+                <item name="soap_customer_authorization" xsi:type="object">
+                    Magento\Customer\Model\Customer\Authorization
+                </item>
+            </argument>
+        </arguments>
+    </type>
 </config>
@@ -0,0 +1,58 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Persistent\Model\Customer;
+
+use Magento\Customer\Model\Session as CustomerSession;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Persistent\Helper\Session as PersistentSession;
+
+/**
+ * Authorization logic for persistent customers
+ *
+ * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ */
+class Authorization implements AuthorizationInterface
+{
+    /**
+     * @var CustomerSession
+     */
+    private $customerSession;
+
+    /**
+     * @var PersistentSession
+     */
+    private $persistentSession;
+
+    /**
+     * @param CustomerSession $customerSession
+     * @param PersistentSession $persistentSession
+     */
+    public function __construct(
+        CustomerSession $customerSession,
+        PersistentSession $persistentSession
+    ) {
+        $this->customerSession = $customerSession;
+        $this->persistentSession = $persistentSession;
+    }
+
+    /**
+     * @inheritdoc
+     *
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function isAllowed(
+        $resource,
+        $privilege = null
+    ) {
+        if ($this->persistentSession->isPersistent() && !$this->customerSession->isLoggedIn()) {
+            return false;
+        }
+
+        return true;
+    }
+}