ACP2E-1339: Orders can be placed via Rest API as a guest user even when "Allow Guest Checkout" is turned off

Author: bubasuma

app/code/Magento/Checkout/Plugin/Api/VerifyIsGuestCheckoutEnabledBeforeAssignBillingAddress.php

@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Checkout\Plugin\Api;
+
+use Magento\Checkout\Helper\Data as CheckoutHelper;
+use Magento\Framework\Exception\CouldNotSaveException;
+use Magento\Quote\Api\CartRepositoryInterface;
+use Magento\Quote\Api\GuestBillingAddressManagementInterface;
+use Magento\Quote\Model\QuoteIdMask;
+use Magento\Quote\Model\QuoteIdMaskFactory;
+
+class VerifyIsGuestCheckoutEnabledBeforeAssignBillingAddress
+{
+    /**
+     * @var CheckoutHelper
+     */
+    private CheckoutHelper $checkoutHelper;
+
+    /**
+     * @var QuoteIdMaskFactory
+     */
+    private QuoteIdMaskFactory $quoteIdMaskFactory;
+
+    /**
+     * @var CartRepositoryInterface
+     */
+    private CartRepositoryInterface $cartRepository;
+
+    /**
+     * @param CheckoutHelper $checkoutHelper
+     * @param QuoteIdMaskFactory $quoteIdMaskFactory
+     * @param CartRepositoryInterface $cartRepository
+     */
+    public function __construct(
+        CheckoutHelper $checkoutHelper,
+        QuoteIdMaskFactory $quoteIdMaskFactory,
+        CartRepositoryInterface $cartRepository
+    ) {
+        $this->checkoutHelper = $checkoutHelper;
+        $this->quoteIdMaskFactory = $quoteIdMaskFactory;
+        $this->cartRepository = $cartRepository;
+    }
+
+    /**
+     * Checks whether guest checkout is enabled before assigning billing address
+     *
+     * @param GuestBillingAddressManagementInterface $subject
+     * @param string $cartId
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeAssign(
+        GuestBillingAddressManagementInterface $subject,
+        $cartId
+    ): void {
+        /** @var $quoteIdMask QuoteIdMask */
+        $quoteIdMask = $this->quoteIdMaskFactory->create()->load($cartId, 'masked_id');
+        $quote = $this->cartRepository->get($quoteIdMask->getQuoteId());
+        if (!$this->checkoutHelper->isAllowedGuestCheckout($quote)) {
+            throw new CouldNotSaveException(__('Sorry, guest checkout is not available.'));
+        }
+    }
+}

app/code/Magento/Checkout/Plugin/Api/VerifyIsGuestCheckoutEnabledBeforePlaceOrder.php

@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Checkout\Plugin\Api;
+
+use Magento\Checkout\Helper\Data as CheckoutHelper;
+use Magento\Framework\Exception\CouldNotSaveException;
+use Magento\Quote\Api\CartRepositoryInterface;
+use Magento\Quote\Api\GuestCartManagementInterface;
+use Magento\Quote\Model\QuoteIdMask;
+use Magento\Quote\Model\QuoteIdMaskFactory;
+
+class VerifyIsGuestCheckoutEnabledBeforePlaceOrder
+{
+    /**
+     * @var CheckoutHelper
+     */
+    private CheckoutHelper $checkoutHelper;
+
+    /**
+     * @var QuoteIdMaskFactory
+     */
+    private QuoteIdMaskFactory $quoteIdMaskFactory;
+
+    /**
+     * @var CartRepositoryInterface
+     */
+    private CartRepositoryInterface $cartRepository;
+
+    /**
+     * @param CheckoutHelper $checkoutHelper
+     * @param QuoteIdMaskFactory $quoteIdMaskFactory
+     * @param CartRepositoryInterface $cartRepository
+     */
+    public function __construct(
+        CheckoutHelper $checkoutHelper,
+        QuoteIdMaskFactory $quoteIdMaskFactory,
+        CartRepositoryInterface $cartRepository
+    ) {
+        $this->checkoutHelper = $checkoutHelper;
+        $this->quoteIdMaskFactory = $quoteIdMaskFactory;
+        $this->cartRepository = $cartRepository;
+    }
+
+    /**
+     * Checks whether guest checkout is enabled before placing order
+     *
+     * @param GuestCartManagementInterface $subject
+     * @param string $cartId
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforePlaceOrder(
+        GuestCartManagementInterface $subject,
+        $cartId
+    ): void {
+        /** @var $quoteIdMask QuoteIdMask */
+        $quoteIdMask = $this->quoteIdMaskFactory->create()->load($cartId, 'masked_id');
+        $quote = $this->cartRepository->get($quoteIdMask->getQuoteId());
+        if (!$this->checkoutHelper->isAllowedGuestCheckout($quote)) {
+            throw new CouldNotSaveException(__('Sorry, guest checkout is not available.'));
+        }
+    }
+}

app/code/Magento/Checkout/Plugin/Api/VerifyIsGuestCheckoutEnabledBeforeSavePaymentInformation.php

@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Checkout\Plugin\Api;
+
+use Magento\Checkout\Api\GuestPaymentInformationManagementInterface;
+use Magento\Checkout\Helper\Data as CheckoutHelper;
+use Magento\Framework\Exception\CouldNotSaveException;
+use Magento\Quote\Api\CartRepositoryInterface;
+use Magento\Quote\Model\QuoteIdMask;
+use Magento\Quote\Model\QuoteIdMaskFactory;
+
+class VerifyIsGuestCheckoutEnabledBeforeSavePaymentInformation
+{
+    /**
+     * @var CheckoutHelper
+     */
+    private CheckoutHelper $checkoutHelper;
+
+    /**
+     * @var QuoteIdMaskFactory
+     */
+    private QuoteIdMaskFactory $quoteIdMaskFactory;
+
+    /**
+     * @var CartRepositoryInterface
+     */
+    private CartRepositoryInterface $cartRepository;
+
+    /**
+     * @param CheckoutHelper $checkoutHelper
+     * @param QuoteIdMaskFactory $quoteIdMaskFactory
+     * @param CartRepositoryInterface $cartRepository
+     */
+    public function __construct(
+        CheckoutHelper $checkoutHelper,
+        QuoteIdMaskFactory $quoteIdMaskFactory,
+        CartRepositoryInterface $cartRepository
+    ) {
+        $this->checkoutHelper = $checkoutHelper;
+        $this->quoteIdMaskFactory = $quoteIdMaskFactory;
+        $this->cartRepository = $cartRepository;
+    }
+
+    /**
+     * Checks whether guest checkout is enabled before saving payment information
+     *
+     * @param GuestPaymentInformationManagementInterface $subject
+     * @param string $cartId
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeSavePaymentInformation(
+        GuestPaymentInformationManagementInterface $subject,
+        $cartId
+    ): void {
+        /** @var $quoteIdMask QuoteIdMask */
+        $quoteIdMask = $this->quoteIdMaskFactory->create()->load($cartId, 'masked_id');
+        $quote = $this->cartRepository->get($quoteIdMask->getQuoteId());
+        if (!$this->checkoutHelper->isAllowedGuestCheckout($quote)) {
+            throw new CouldNotSaveException(__('Sorry, guest checkout is not available.'));
+        }
+    }
+}

app/code/Magento/Checkout/Plugin/Api/VerifyIsGuestCheckoutEnabledBeforeSaveShippingInformation.php

@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Checkout\Plugin\Api;
+
+use Magento\Checkout\Api\GuestShippingInformationManagementInterface;
+use Magento\Checkout\Helper\Data as CheckoutHelper;
+use Magento\Framework\Exception\CouldNotSaveException;
+use Magento\Quote\Api\CartRepositoryInterface;
+use Magento\Quote\Model\QuoteIdMask;
+use Magento\Quote\Model\QuoteIdMaskFactory;
+
+class VerifyIsGuestCheckoutEnabledBeforeSaveShippingInformation
+{
+    /**
+     * @var CheckoutHelper
+     */
+    private CheckoutHelper $checkoutHelper;
+
+    /**
+     * @var QuoteIdMaskFactory
+     */
+    private QuoteIdMaskFactory $quoteIdMaskFactory;
+
+    /**
+     * @var CartRepositoryInterface
+     */
+    private CartRepositoryInterface $cartRepository;
+
+    /**
+     * @param CheckoutHelper $checkoutHelper
+     * @param QuoteIdMaskFactory $quoteIdMaskFactory
+     * @param CartRepositoryInterface $cartRepository
+     */
+    public function __construct(
+        CheckoutHelper $checkoutHelper,
+        QuoteIdMaskFactory $quoteIdMaskFactory,
+        CartRepositoryInterface $cartRepository
+    ) {
+        $this->checkoutHelper = $checkoutHelper;
+        $this->quoteIdMaskFactory = $quoteIdMaskFactory;
+        $this->cartRepository = $cartRepository;
+    }
+
+    /**
+     * Checks whether guest checkout is enabled before saving shipping information
+     *
+     * @param GuestShippingInformationManagementInterface $subject
+     * @param string $cartId
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeSaveAddressInformation(
+        GuestShippingInformationManagementInterface $subject,
+        $cartId
+    ): void {
+        /** @var $quoteIdMask QuoteIdMask */
+        $quoteIdMask = $this->quoteIdMaskFactory->create()->load($cartId, 'masked_id');
+        $quote = $this->cartRepository->get($quoteIdMask->getQuoteId());
+        if (!$this->checkoutHelper->isAllowedGuestCheckout($quote)) {
+            throw new CouldNotSaveException(__('Sorry, guest checkout is not available.'));
+        }
+    }
+}

app/code/Magento/Checkout/Plugin/Api/VerifyIsGuestCheckoutEnabledBeforeSetPaymentMethod.php

@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Checkout\Plugin\Api;
+
+use Magento\Checkout\Helper\Data as CheckoutHelper;
+use Magento\Framework\Exception\CouldNotSaveException;
+use Magento\Quote\Api\CartRepositoryInterface;
+use Magento\Quote\Api\GuestPaymentMethodManagementInterface;
+use Magento\Quote\Model\QuoteIdMask;
+use Magento\Quote\Model\QuoteIdMaskFactory;
+
+class VerifyIsGuestCheckoutEnabledBeforeSetPaymentMethod
+{
+    /**
+     * @var CheckoutHelper
+     */
+    private CheckoutHelper $checkoutHelper;
+
+    /**
+     * @var QuoteIdMaskFactory
+     */
+    private QuoteIdMaskFactory $quoteIdMaskFactory;
+
+    /**
+     * @var CartRepositoryInterface
+     */
+    private CartRepositoryInterface $cartRepository;
+
+    /**
+     * @param CheckoutHelper $checkoutHelper
+     * @param QuoteIdMaskFactory $quoteIdMaskFactory
+     * @param CartRepositoryInterface $cartRepository
+     */
+    public function __construct(
+        CheckoutHelper $checkoutHelper,
+        QuoteIdMaskFactory $quoteIdMaskFactory,
+        CartRepositoryInterface $cartRepository
+    ) {
+        $this->checkoutHelper = $checkoutHelper;
+        $this->quoteIdMaskFactory = $quoteIdMaskFactory;
+        $this->cartRepository = $cartRepository;
+    }
+
+    /**
+     * Checks whether guest checkout is enabled before setting payment method
+     *
+     * @param GuestPaymentMethodManagementInterface $subject
+     * @param string $cartId
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeSet(
+        GuestPaymentMethodManagementInterface $subject,
+        $cartId
+    ): void {
+        /** @var $quoteIdMask QuoteIdMask */
+        $quoteIdMask = $this->quoteIdMaskFactory->create()->load($cartId, 'masked_id');
+        $quote = $this->cartRepository->get($quoteIdMask->getQuoteId());
+        if (!$this->checkoutHelper->isAllowedGuestCheckout($quote)) {
+            throw new CouldNotSaveException(__('Sorry, guest checkout is not available.'));
+        }
+    }
+}

app/code/Magento/Checkout/etc/webapi_rest/di.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
+    <type name="Magento\Checkout\Api\GuestPaymentInformationManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeSavePaymentInformation"/>
+    </type>
+    <type name="Magento\Checkout\Api\GuestShippingInformationManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeSaveShippingInformation"/>
+    </type>
+    <type name="Magento\Quote\Api\GuestCartManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforePlaceOrder"/>
+    </type>
+    <type name="Magento\Quote\Api\GuestPaymentMethodManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeSetPaymentMethod"/>
+    </type>
+    <type name="Magento\Quote\Api\GuestBillingAddressManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeAssignBillingAddress"/>
+    </type>
+</config>

app/code/Magento/Checkout/etc/webapi_soap/di.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
+    <type name="Magento\Checkout\Api\GuestPaymentInformationManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeSavePaymentInformation"/>
+    </type>
+    <type name="Magento\Checkout\Api\GuestShippingInformationManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeSaveShippingInformation"/>
+    </type>
+    <type name="Magento\Quote\Api\GuestCartManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforePlaceOrder"/>
+    </type>
+    <type name="Magento\Quote\Api\GuestPaymentMethodManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeSetPaymentMethod"/>
+    </type>
+    <type name="Magento\Quote\Api\GuestBillingAddressManagementInterface">
+        <plugin name="verify_is_guest_checkout_enabled" type="Magento\Checkout\Plugin\Api\VerifyIsGuestCheckoutEnabledBeforeAssignBillingAddress"/>
+    </type>
+</config>