magento
diff --git a/‎app/code/Magento/Customer/Controller/Account/EditPost.php
Lines changed: 36 additions & 26 deletions b/‎app/code/Magento/Customer/Controller/Account/EditPost.php
Lines changed: 36 additions & 26 deletions
diff --git a/‎app/code/Magento/Customer/Model/Metadata/Form/File.php
Lines changed: 18 additions & 8 deletions b/‎app/code/Magento/Customer/Model/Metadata/Form/File.php
Lines changed: 18 additions & 8 deletions
diff --git a/‎app/code/Magento/Customer/Test/Mftf/Test/StorefrontChangeCustomerEmailTest.xml
Lines changed: 61 additions & 0 deletions b/‎app/code/Magento/Customer/Test/Mftf/Test/StorefrontChangeCustomerEmailTest.xml
Lines changed: 61 additions & 0 deletions
@@ -8,6 +8,7 @@
 namespace Magento\Customer\Controller\Account;
 
 use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Customer\Api\SessionCleanerInterface;
 use Magento\Customer\Model\AddressRegistry;
 use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
 use Magento\Customer\Model\AuthenticationInterface;
@@ -27,13 +28,15 @@
 use Magento\Framework\Escaper;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\InvalidEmailOrPasswordException;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Exception\State\UserLockedException;
 use Magento\Customer\Controller\AbstractAccount;
 use Magento\Framework\Phrase;
 
 /**
- * Class EditPost
+ * Customer edit page.
+ *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class EditPost extends AbstractAccount implements CsrfAwareActionInterface, HttpPostActionInterface
@@ -69,7 +72,7 @@ class EditPost extends AbstractAccount implements CsrfAwareActionInterface, Http
     protected $session;
 
     /**
-     * @var \Magento\Customer\Model\EmailNotificationInterface
+     * @var EmailNotificationInterface
      */
     private $emailNotification;
 
@@ -93,6 +96,11 @@ class EditPost extends AbstractAccount implements CsrfAwareActionInterface, Http
      */
     private $addressRegistry;
 
+    /**
+     * @var SessionCleanerInterface|null
+     */
+    private $sessionCleaner;
+
     /**
      * @param Context $context
      * @param Session $customerSession
@@ -102,6 +110,7 @@ class EditPost extends AbstractAccount implements CsrfAwareActionInterface, Http
      * @param CustomerExtractor $customerExtractor
      * @param Escaper|null $escaper
      * @param AddressRegistry|null $addressRegistry
+     * @param SessionCleanerInterface|null $sessionCleaner
      */
     public function __construct(
         Context $context,
@@ -111,7 +120,8 @@ public function __construct(
         Validator $formKeyValidator,
         CustomerExtractor $customerExtractor,
         ?Escaper $escaper = null,
-        AddressRegistry $addressRegistry = null
+        AddressRegistry $addressRegistry = null,
+        ?SessionCleanerInterface $sessionCleaner = null
     ) {
         parent::__construct($context);
         $this->session = $customerSession;
@@ -121,6 +131,7 @@ public function __construct(
         $this->customerExtractor = $customerExtractor;
         $this->escaper = $escaper ?: ObjectManager::getInstance()->get(Escaper::class);
         $this->addressRegistry = $addressRegistry ?: ObjectManager::getInstance()->get(AddressRegistry::class);
+        $this->sessionCleaner = $sessionCleaner ?: ObjectManager::getInstance()->get(SessionCleanerInterface::class);
     }
 
     /**
@@ -132,9 +143,7 @@ private function getAuthentication()
     {
 
         if (!($this->authentication instanceof AuthenticationInterface)) {
-            return ObjectManager::getInstance()->get(
-                \Magento\Customer\Model\AuthenticationInterface::class
-            );
+            return ObjectManager::getInstance()->get(AuthenticationInterface::class);
         } else {
             return $this->authentication;
         }
@@ -149,9 +158,7 @@ private function getAuthentication()
     private function getEmailNotification()
     {
         if (!($this->emailNotification instanceof EmailNotificationInterface)) {
-            return ObjectManager::getInstance()->get(
-                EmailNotificationInterface::class
-            );
+            return ObjectManager::getInstance()->get(EmailNotificationInterface::class);
         } else {
             return $this->emailNotification;
         }
@@ -160,9 +167,8 @@ private function getEmailNotification()
     /**
      * @inheritDoc
      */
-    public function createCsrfValidationException(
-        RequestInterface $request
-    ): ?InvalidRequestException {
+    public function createCsrfValidationException(RequestInterface $request): ?InvalidRequestException
+    {
         /** @var Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
         $resultRedirect->setPath('*/*/edit');
@@ -184,11 +190,11 @@ public function validateForCsrf(RequestInterface $request): ?bool
     /**
      * Change customer email or password action
      *
-     * @return \Magento\Framework\Controller\Result\Redirect
+     * @return Redirect
      */
     public function execute()
     {
-        /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
+        /** @var Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
         $validFormKey = $this->formKeyValidator->validate($this->getRequest());
 
@@ -217,6 +223,7 @@ public function execute()
                 );
                 $this->dispatchSuccessEvent($customerCandidateDataObject);
                 $this->messageManager->addSuccessMessage(__('You saved the account information.'));
+
                 return $resultRedirect->setPath('customer/account');
             } catch (InvalidEmailOrPasswordException $e) {
                 $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
@@ -228,13 +235,14 @@ public function execute()
                 $this->session->logout();
                 $this->session->start();
                 $this->messageManager->addErrorMessage($message);
+
                 return $resultRedirect->setPath('customer/account/login');
             } catch (InputException $e) {
                 $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
                 foreach ($e->getErrors() as $error) {
                     $this->messageManager->addErrorMessage($this->escaper->escapeHtml($error->getMessage()));
                 }
-            } catch (\Magento\Framework\Exception\LocalizedException $e) {
+            } catch (LocalizedException $e) {
                 $this->messageManager->addErrorMessage($e->getMessage());
             } catch (\Exception $e) {
                 $this->messageManager->addException($e, __('We can\'t save the customer.'));
@@ -246,16 +254,17 @@ public function execute()
         /** @var Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
         $resultRedirect->setPath('*/*/edit');
+
         return $resultRedirect;
     }
 
     /**
      * Account editing action completed successfully event
      *
-     * @param \Magento\Customer\Api\Data\CustomerInterface $customerCandidateDataObject
+     * @param CustomerInterface $customerCandidateDataObject
      * @return void
      */
-    private function dispatchSuccessEvent(\Magento\Customer\Api\Data\CustomerInterface $customerCandidateDataObject)
+    private function dispatchSuccessEvent(CustomerInterface $customerCandidateDataObject)
     {
         $this->_eventManager->dispatch(
             'customer_account_edited',
@@ -268,7 +277,7 @@ private function dispatchSuccessEvent(\Magento\Customer\Api\Data\CustomerInterfa
      *
      * @param int $customerId
      *
-     * @return \Magento\Customer\Api\Data\CustomerInterface
+     * @return CustomerInterface
      */
     private function getCustomerDataObject($customerId)
     {
@@ -278,13 +287,13 @@ private function getCustomerDataObject($customerId)
     /**
      * Create Data Transfer Object of customer candidate
      *
-     * @param \Magento\Framework\App\RequestInterface $inputData
-     * @param \Magento\Customer\Api\Data\CustomerInterface $currentCustomerData
-     * @return \Magento\Customer\Api\Data\CustomerInterface
+     * @param RequestInterface $inputData
+     * @param CustomerInterface $currentCustomerData
+     * @return CustomerInterface
      */
     private function populateNewCustomerDataObject(
-        \Magento\Framework\App\RequestInterface $inputData,
-        \Magento\Customer\Api\Data\CustomerInterface $currentCustomerData
+        RequestInterface $inputData,
+        CustomerInterface $currentCustomerData
     ) {
         $attributeValues = $this->getCustomerMapper()->toFlatArray($currentCustomerData);
         $customerDto = $this->customerExtractor->extract(
@@ -330,12 +339,12 @@ protected function changeCustomerPassword($email)
     /**
      * Process change email request
      *
-     * @param \Magento\Customer\Api\Data\CustomerInterface $currentCustomerDataObject
+     * @param CustomerInterface $currentCustomerDataObject
      * @return void
      * @throws InvalidEmailOrPasswordException
      * @throws UserLockedException
      */
-    private function processChangeEmailRequest(\Magento\Customer\Api\Data\CustomerInterface $currentCustomerDataObject)
+    private function processChangeEmailRequest(CustomerInterface $currentCustomerDataObject)
     {
         if ($this->getRequest()->getParam('change_email')) {
             // authenticate user for changing email
@@ -344,6 +353,7 @@ private function processChangeEmailRequest(\Magento\Customer\Api\Data\CustomerIn
                     $currentCustomerDataObject->getId(),
                     $this->getRequest()->getPost('current_password')
                 );
+                $this->sessionCleaner->clearFor($currentCustomerDataObject->getId());
             } catch (InvalidEmailOrPasswordException $e) {
                 throw new InvalidEmailOrPasswordException(
                     __("The password doesn't match this account. Verify the password and try again.")
@@ -362,7 +372,7 @@ private function processChangeEmailRequest(\Magento\Customer\Api\Data\CustomerIn
     private function getCustomerMapper()
     {
         if ($this->customerMapper === null) {
-            $this->customerMapper = ObjectManager::getInstance()->get(\Magento\Customer\Model\Customer\Mapper::class);
+            $this->customerMapper = ObjectManager::getInstance()->get(Mapper::class);
         }
         return $this->customerMapper;
     }
 
@@ -11,6 +11,7 @@
 use Magento\Framework\Api\Data\ImageContentInterface;
 use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\File\UploaderFactory;
 use Magento\Framework\Filesystem;
 
@@ -111,6 +112,7 @@ public function extractValue(\Magento\Framework\App\RequestInterface $request)
         $extend = $this->_getRequestValue($request);
 
         $attrCode = $this->getAttribute()->getAttributeCode();
+        // phpcs:ignore Magento2.Security.Superglobal
         if ($this->_requestScope || !isset($_FILES[$attrCode])) {
             $value = [];
             if (strpos($this->_requestScope, '/') !== false) {
@@ -120,9 +122,10 @@ public function extractValue(\Magento\Framework\App\RequestInterface $request)
                 $mainScope = $this->_requestScope;
                 $scopes = [];
             }
-
+            // phpcs:disable Magento2.Security.Superglobal
             if (!empty($_FILES[$mainScope])) {
                 foreach ($_FILES[$mainScope] as $fileKey => $scopeData) {
+                    // phpcs:enable Magento2.Security.Superglobal
                     foreach ($scopes as $scopeName) {
                         if (isset($scopeData[$scopeName])) {
                             $scopeData = $scopeData[$scopeName];
@@ -147,8 +150,10 @@ public function extractValue(\Magento\Framework\App\RequestInterface $request)
                 $value = [];
             }
         } else {
+            // phpcs:disable Magento2.Security.Superglobal
             if (isset($_FILES[$attrCode])) {
                 $value = $_FILES[$attrCode];
+                // phpcs:enable Magento2.Security.Superglobal
             } else {
                 $value = [];
             }
@@ -171,7 +176,7 @@ protected function _validateByRules($value)
     {
         $label = $value['name'];
         $rules = $this->getAttribute()->getValidationRules();
-        $extension = pathinfo($value['name'], PATHINFO_EXTENSION);
+        $extension = $this->fileProcessor->getStat($value['name'])['extension'];
         $fileExtensions = ArrayObjectSearch::getArrayElementByName(
             $rules,
             'file_extensions'
@@ -219,12 +224,13 @@ protected function _validateByRules($value)
      */
     protected function _isUploadedFile($filename)
     {
+        // phpcs:ignore Magento2.Functions.DiscouragedFunction
         if (is_uploaded_file($filename)) {
             return true;
         }
 
         // This case is required for file uploader UI component
-        $temporaryFile = FileProcessor::TMP_DIR . '/' . pathinfo($filename)['basename'];
+        $temporaryFile = FileProcessor::TMP_DIR . '/' . $this->fileProcessor->getStat($filename)['basename'];
         if ($this->fileProcessor->isExist($temporaryFile)) {
             return true;
         }
@@ -343,16 +349,20 @@ protected function processInputFieldValue($value)
         }
 
         if (!empty($value['tmp_name'])) {
+            $uploader = $this->uploaderFactory->create(['fileId' => $value]);
+            $fileExtension = $uploader->getFileExtension();
+            if (!$this->_fileValidator->isValid($fileExtension)) {
+                throw new LocalizedException($this->_fileValidator->getMessages()[$fileExtension]);
+            }
+            $uploader->setFilesDispersion(true);
+            $uploader->setFilenamesCaseSensitivity(false);
+            $uploader->setAllowRenameFiles(true);
             try {
-                $uploader = $this->uploaderFactory->create(['fileId' => $value]);
-                $uploader->setFilesDispersion(true);
-                $uploader->setFilenamesCaseSensitivity(false);
-                $uploader->setAllowRenameFiles(true);
                 $uploader->save($mediaDir->getAbsolutePath($this->_entityTypeCode), $value['name']);
-                $result = $uploader->getUploadedFileName();
             } catch (\Exception $e) {
                 $this->_logger->critical($e);
             }
+            $result = $uploader->getUploadedFileName();
         }
 
         return $result;
 
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="StorefrontChangeCustomerEmailTest">
+        <annotations>
+            <features value="Customer"/>
+            <stories value="Update Customer"/>
+            <title value="Changing Customer Email Test"/>
+            <description value="Changing Customer's email with correct and wrong passwords"/>
+            <testCaseId value="MC-38725"/>
+            <useCaseId value="MC-38676"/>
+            <severity value="MAJOR"/>
+            <group value="customer"/>
+        </annotations>
+        <before>
+            <createData entity="Simple_US_Customer" stepKey="customer"/>
+        </before>
+        <after>
+            <actionGroup ref="StorefrontCustomerLogoutActionGroup" stepKey="customerLogout"/>
+            <deleteData createDataKey="customer" stepKey="deleteCustomer"/>
+        </after>
+
+        <actionGroup ref="LoginToStorefrontActionGroup" stepKey="loginToStorefrontAccount">
+            <argument name="Customer" value="$customer$"/>
+        </actionGroup>
+        <!-- Navigate to "Account Information" tab First Time-->
+        <actionGroup ref="StorefrontOpenCustomerAccountInfoEditPageActionGroup" stepKey="goToCustomerEditPageFirstTime"/>
+        <!-- Entering new email, saving with correct password -->
+        <actionGroup ref="StorefrontCustomerChangeEmailActionGroup" stepKey="changeEmailCorrectAttempt">
+            <argument name="email" value="$customer.email$"/>
+            <argument name="password" value="$customer.password$"/>
+        </actionGroup>
+        <!-- See Success Notify, check that customer was force logged out -->
+        <actionGroup ref="AssertMessageCustomerChangeAccountInfoActionGroup" stepKey="seeSuccessMessage">
+            <argument name="message" value="You saved the account information."/>
+        </actionGroup>
+        <see userInput="Default welcome msg!" selector="{{StorefrontPanelHeaderSection.WelcomeMessage}}" stepKey="assertWelcomeMessage"/>
+        <actionGroup ref="LoginToStorefrontActionGroup" stepKey="loginToStorefrontAccountAfterEmailChange">
+            <argument name="Customer" value="$customer$"/>
+        </actionGroup>
+        <!-- Navigate to "Account Information" tab Second Time-->
+        <actionGroup ref="StorefrontOpenCustomerAccountInfoEditPageActionGroup" stepKey="goToCustomerEditPageSecondTime" />
+        <!-- Entering new email, saving with wrong password -->
+        <actionGroup ref="StorefrontCustomerChangeEmailActionGroup" stepKey="changeEmailWrongAttempt">
+            <argument name="email" value="$customer.email$"/>
+            <argument name="password" value="WRONG_PASSWORD_123123q"/>
+        </actionGroup>
+        <!-- See Failure Message-->
+        <actionGroup ref="AssertMessageCustomerChangeAccountInfoActionGroup" stepKey="seeFailureMessage">
+            <argument name="message" value="The password doesn't match this account. Verify the password and try again."/>
+            <argument name="messageType" value="error"/>
+        </actionGroup>
+    </test>
+</tests>