MAGETWO-51390: Private Data of Registered Customer May Be Retrieved with Quote Web API by Anonymous

Author: irenelagno

app/code/Magento/Quote/Model/QuoteManagement.php

@@ -21,6 +21,7 @@
 use Magento\Sales\Api\OrderManagementInterface as OrderManagement;
 use Magento\Store\Model\StoreManagerInterface;
 use Magento\Quote\Model\Quote\Address;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Class QuoteManagement
@@ -130,6 +131,11 @@ class QuoteManagement implements \Magento\Quote\Api\CartManagementInterface
      */
     protected $quoteFactory;
 
+    /**
+     * @var QuoteIdMaskFactory
+     */
+    private $quoteIdMaskFactory;
+
     /**
      * @param EventManager $eventManager
      * @param QuoteValidator $quoteValidator
@@ -263,6 +269,8 @@ public function assignCustomer($cartId, $customerId, $storeId)
         $quote->setCustomer($customer);
         $quote->setCustomerIsGuest(0);
         $this->quoteRepository->save($quote);
+        $quoteFactory = $this->getQuoteIdMaskFactory();
+        $quoteFactory->create()->load($cartId, 'quote_id')->delete();
         return true;
 
     }
@@ -547,4 +555,15 @@ protected function _prepareCustomerQuote($quote)
             $shipping->setIsDefaultBilling(true);
         }
     }
+
+    /**
+     * @return QuoteIdMaskFactory
+     */
+    private function getQuoteIdMaskFactory()
+    {
+        if (!$this->quoteIdMaskFactory) {
+            $this->quoteIdMaskFactory = ObjectManager::getInstance()->get(QuoteIdMaskFactory::class);
+        }
+        return $this->quoteIdMaskFactory;
+    }
 }

dev/tests/api-functional/testsuite/Magento/Quote/Api/GuestCartManagementTest.php

@@ -70,9 +70,9 @@ public function testAssignCustomer()
         $quote = $this->objectManager->create('Magento\Quote\Model\Quote')->load('test01', 'reserved_order_id');
         $cartId = $quote->getId();
         /** @var \Magento\Quote\Model\QuoteIdMask $quoteIdMask */
-        $quoteIdMask = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()
-            ->create('Magento\Quote\Model\QuoteIdMaskFactory')
-            ->create();
+        $quoteIdMaskFactory = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()
+            ->create('Magento\Quote\Model\QuoteIdMaskFactory');
+        $quoteIdMask = $quoteIdMaskFactory->create();
         $quoteIdMask->load($cartId, 'quote_id');
         //Use masked cart Id
         $cartId = $quoteIdMask->getMaskedId();
@@ -110,6 +110,7 @@ public function testAssignCustomer()
         $this->assertEquals($customer->getId(), $quote->getCustomerId());
         $this->assertEquals($customer->getFirstname(), $quote->getCustomerFirstname());
         $this->assertEquals($customer->getLastname(), $quote->getCustomerLastname());
+        $this->assertNull($quoteIdMaskFactory->create()->load($cartId, 'masked_id')->getId());
     }
 
     /**