ACP2E-1013: Product is not getting added to wishlist when customer login

Author: bubasuma

app/code/Magento/Wishlist/Controller/Index/Plugin.php

@@ -6,41 +6,48 @@
 namespace Magento\Wishlist\Controller\Index;
 
 use Magento\Customer\Model\Session as CustomerSession;
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Framework\App\ActionInterface;
 use Magento\Framework\Data\Form\FormKey;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Exception\NotFoundException;
 use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\App\Response\RedirectInterface;
+use Magento\Framework\Message\ManagerInterface;
 use Magento\Store\Model\ScopeInterface;
+use Magento\Wishlist\Model\AuthenticationStateInterface;
 use Magento\Wishlist\Model\DataSerializer;
 
 /**
  * Wishlist plugin before dispatch
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Plugin
 {
     /**
-     * @var \Magento\Customer\Model\Session
+     * @var CustomerSession
      */
     protected $customerSession;
 
     /**
-     * @var \Magento\Wishlist\Model\AuthenticationStateInterface
+     * @var AuthenticationStateInterface
      */
     protected $authenticationState;
 
     /**
-     * @var \Magento\Framework\App\Config\ScopeConfigInterface
+     * @var ScopeConfigInterface
      */
     protected $config;
 
     /**
-     * @var \Magento\Framework\App\Response\RedirectInterface
+     * @var RedirectInterface
      */
     protected $redirector;
 
     /**
-     * @var \Magento\Framework\Message\ManagerInterface
+     * @var ManagerInterface
      */
     private $messageManager;
 
@@ -54,23 +61,30 @@ class Plugin
      */
     private $formKey;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param CustomerSession $customerSession
-     * @param \Magento\Wishlist\Model\AuthenticationStateInterface $authenticationState
+     * @param AuthenticationStateInterface $authenticationState
      * @param ScopeConfigInterface $config
      * @param RedirectInterface $redirector
-     * @param \Magento\Framework\Message\ManagerInterface $messageManager
+     * @param ManagerInterface $messageManager
      * @param DataSerializer $dataSerializer
      * @param FormKey $formKey
+     * @param Validator $formKeyValidator
      */
     public function __construct(
         CustomerSession $customerSession,
-        \Magento\Wishlist\Model\AuthenticationStateInterface $authenticationState,
+        AuthenticationStateInterface $authenticationState,
         ScopeConfigInterface $config,
         RedirectInterface $redirector,
-        \Magento\Framework\Message\ManagerInterface $messageManager,
+        ManagerInterface $messageManager,
         DataSerializer $dataSerializer,
-        FormKey $formKey
+        FormKey $formKey,
+        Validator $formKeyValidator
     ) {
         $this->customerSession = $customerSession;
         $this->authenticationState = $authenticationState;
@@ -79,18 +93,19 @@ public function __construct(
         $this->messageManager = $messageManager;
         $this->dataSerializer = $dataSerializer;
         $this->formKey = $formKey;
+        $this->formKeyValidator = $formKeyValidator;
     }
 
     /**
      * Perform customer authentication and wishlist feature state checks
      *
-     * @param \Magento\Framework\App\ActionInterface $subject
+     * @param ActionInterface $subject
      * @param RequestInterface $request
      * @return void
-     * @throws \Magento\Framework\Exception\NotFoundException
+     * @throws NotFoundException
      * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      */
-    public function beforeDispatch(\Magento\Framework\App\ActionInterface $subject, RequestInterface $request)
+    public function beforeDispatch(ActionInterface $subject, RequestInterface $request)
     {
         if ($this->authenticationState->isEnabled() && !$this->customerSession->authenticate()) {
             $subject->getActionFlag()->set('', 'no-dispatch', true);
@@ -99,25 +114,32 @@ public function beforeDispatch(\Magento\Framework\App\ActionInterface $subject,
             }
             $data = $request->getParams();
             unset($data['login']);
-            $this->customerSession->setBeforeWishlistRequest($data);
-            $this->customerSession->setBeforeRequestParams($this->customerSession->getBeforeWishlistRequest());
-            $this->customerSession->setBeforeModuleName('wishlist');
-            $this->customerSession->setBeforeControllerName('index');
-            $this->customerSession->setBeforeAction('add');
+            if (!($subject instanceof HttpPostActionInterface) || $this->formKeyValidator->validate($request)) {
+                $this->customerSession->setBeforeWishlistRequest($data);
+                $this->customerSession->setBeforeRequestParams($this->customerSession->getBeforeWishlistRequest());
+                $this->customerSession->setBeforeModuleName('wishlist');
+                $this->customerSession->setBeforeControllerName('index');
+                $this->customerSession->setBeforeAction($request->getActionName());
+            }
 
             if ($request->getActionName() === 'add') {
                 $this->messageManager->addErrorMessage(__('You must login or register to add items to your wishlist.'));
             }
         } elseif ($this->customerSession->authenticate()) {
             if ($this->customerSession->getBeforeWishlistRequest()) {
-                $request->setParams($this->customerSession->getBeforeWishlistRequest());
+                $data = $this->customerSession->getBeforeWishlistRequest();
+                // Bypass CSRF validation as the data comes from a request that was validated
+                $data['form_key'] = $this->formKey->getFormKey();
+                $request->clearParams();
+                $request->setParams($data);
                 $this->customerSession->unsBeforeWishlistRequest();
             } elseif ($request->getParam('token')) {
                 // check if the token is valid and retrieve the data
                 $data = $this->dataSerializer->unserialize($request->getParam('token'));
                 // Bypass CSRF validation if the token is valid
                 if ($data) {
                     $data['form_key'] = $this->formKey->getFormKey();
+                    $request->clearParams();
                     $request->setParams($data);
                 }
             }

app/code/Magento/Wishlist/Test/Unit/Controller/Index/PluginTest.php

@@ -15,6 +15,7 @@
 use Magento\Framework\App\Request\Http;
 use Magento\Framework\App\Response\RedirectInterface;
 use Magento\Framework\Data\Form\FormKey;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Message\ManagerInterface;
 use Magento\Store\App\Response\Redirect;
 use Magento\Store\Model\ScopeInterface;
@@ -73,6 +74,11 @@ class PluginTest extends TestCase
      */
     private $formKey;
 
+    /**
+     * @var Validator|MockObject
+     */
+    private $formKeyValidator;
+
     /**
      * @inheritdoc
      */
@@ -101,6 +107,7 @@ protected function setUp(): void
         $this->request = $this->createMock(Http::class);
         $this->dataSerializer = $this->createMock(DataSerializer::class);
         $this->formKey = $this->createMock(FormKey::class);
+        $this->formKeyValidator = $this->createMock(Validator::class);
     }
 
     /**
@@ -115,7 +122,8 @@ protected function getPlugin()
             $this->redirector,
             $this->messageManager,
             $this->dataSerializer,
-            $this->formKey
+            $this->formKey,
+            $this->formKeyValidator
         );
     }
 
@@ -157,6 +165,11 @@ public function testBeforeDispatch()
             ->method('getParams')
             ->willReturn($params);
 
+        $this->request
+            ->expects($this->exactly(2))
+            ->method('getActionName')
+            ->willReturn('add');
+
         $this->customerSession->expects($this->once())
             ->method('authenticate')
             ->willReturn(false);

dev/tests/integration/testsuite/Magento/Wishlist/Controller/Index/AddTest.php

@@ -10,8 +10,10 @@
 use Magento\Catalog\Api\ProductRepositoryInterface;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Request\Http as HttpRequest;
+use Magento\Framework\App\ResponseInterface;
 use Magento\Framework\Escaper;
 use Magento\Framework\Message\MessageInterface;
+use Magento\TestFramework\Helper\Bootstrap;
 use Magento\TestFramework\TestCase\AbstractController;
 use Magento\TestFramework\Wishlist\Model\GetWishlistByCustomerId;
 use Laminas\Stdlib\Parameters;
@@ -27,6 +29,7 @@
  * @magentoDbIsolation disabled
  * @magentoAppArea frontend
  * @magentoDataFixture Magento/Customer/_files/customer.php
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class AddTest extends AbstractController
 {
@@ -247,6 +250,41 @@ public function testAddToWishlistOnCustomerConfirmation(): void
         $this->assertSuccess((int)$customer->getId(), 1, $product->getName());
     }
 
+    /**
+     * @magentoConfigFixture current_store customer/captcha/enable 0
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     * @magentoDataFixture Magento/Catalog/_files/product_simple.php
+     */
+    public function testAddToWishlistBeforeLogin(): void
+    {
+        $this->prepareReferer();
+        $product = $this->productRepository->get('simple');
+        $this->performAddToWishListRequest(['product' => $product->getId()]);
+        $this->assertSessionMessages(
+            $this->equalTo([(string)__('You must login or register to add items to your wishlist.')]),
+            MessageInterface::TYPE_ERROR
+        );
+
+        // re-initialize the application to make a second request
+        Bootstrap::getInstance()->getBootstrap()->getApplication()->reinitialize();
+        $this->_objectManager = Bootstrap::getObjectManager();
+        $this->customerSession = $this->_objectManager->get(Session::class);
+        $this->_request = null;
+        $this->_response = null;
+
+        // login
+        $this->getRequest()->setMethod(HttpRequest::METHOD_POST);
+        $this->getRequest()->setPostValue([
+            'login' => [
+                'username' => 'customer@example.com',
+                'password' => 'password',
+            ],
+        ]);
+        $this->dispatch('customer/account/loginPost');
+        $this->assertTrue($this->customerSession->isLoggedIn());
+        $this->assertSuccess(1, 1, $product->getName());
+    }
+
     /**
      * Perform request add item to wish list.
      *