MAGETWO-96522: Fix action behavior

Author: StasKozar

app/code/Magento/Checkout/Controller/Cart/CouponPost.php

@@ -72,6 +72,9 @@ public function execute()
         if (!$this->getRequest()->isPost()) {
             throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
         }
+        if (!$this->_formKeyValidator->validate($this->getRequest())) {
+            return $this->_goBack();
+        }
 
         $couponCode = $this->getRequest()->getParam('remove') == 1
             ? ''

app/code/Magento/Checkout/Test/Unit/Controller/Cart/CouponPostTest.php

@@ -6,6 +6,7 @@
 namespace Magento\Checkout\Test\Unit\Controller\Cart;
 
 use Magento\Checkout\Controller\Cart\Index;
+use Magento\Framework\Data\Form\FormKey\Validator;
 
 /**
  * Test for \Magento\Checkout\Controller\Cart\CouponPost
@@ -84,6 +85,11 @@ class CouponPostTest extends \PHPUnit_Framework_TestCase
      */
     private $redirectFactory;
 
+    /**
+     * @var Validator|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $formKeyValidatorMock;
+
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
@@ -166,6 +172,8 @@ protected function setUp()
             ->getMock();
         $this->quoteRepository = $this->getMock(\Magento\Quote\Api\CartRepositoryInterface::class);
         $this->shippingAddress = $this->getMock(\Magento\Quote\Model\Quote\Address::class, [], [], '', false);
+        $this->formKeyValidatorMock = $this->getMock(Validator::class, [], [], '', false);
+        $this->formKeyValidatorMock->expects($this->once())->method('validate')->willReturn(true);
 
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
 
@@ -176,7 +184,8 @@ protected function setUp()
                 'checkoutSession' => $this->checkoutSession,
                 'cart' => $this->cart,
                 'couponFactory' => $this->couponFactory,
-                'quoteRepository' => $this->quoteRepository
+                'quoteRepository' => $this->quoteRepository,
+                'formKeyValidator' => $this->formKeyValidatorMock,
             ]
         );
     }

app/code/Magento/Checkout/view/frontend/templates/cart/coupon.phtml

@@ -28,6 +28,7 @@
                     </div>
                 </div>
                 <div class="actions-toolbar">
+                    <?php echo $block->getBlockHtml('formkey')?>
                     <?php if (!strlen($block->getCouponCode())): ?>
                     <div class="primary">
                         <button class="action apply primary" type="button" value="<?php /* @escapeNotVerified */ echo __('Apply Discount') ?>">

app/code/Magento/Customer/Controller/Account/ForgotPasswordPost.php

@@ -10,6 +10,8 @@
 use Magento\Customer\Model\AccountManagement;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Escaper;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Exception\SecurityViolationException;
@@ -31,33 +33,50 @@ class ForgotPasswordPost extends \Magento\Customer\Controller\AbstractAccount
      */
     protected $session;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $customerAccountManagement
      * @param Escaper $escaper
+     * @param Validator|null $formKeyValidator
      */
     public function __construct(
         Context $context,
         Session $customerSession,
         AccountManagementInterface $customerAccountManagement,
-        Escaper $escaper
+        Escaper $escaper,
+        Validator $formKeyValidator = null
     ) {
         $this->session = $customerSession;
         $this->customerAccountManagement = $customerAccountManagement;
         $this->escaper = $escaper;
+        $this->formKeyValidator = $formKeyValidator ?: ObjectManager::getInstance()->get(Validator::class);
         parent::__construct($context);
     }
 
     /**
      * Forgot customer password action
      *
      * @return \Magento\Framework\Controller\Result\Redirect
+     * @throws \Magento\Framework\Exception\NotFoundException
      */
     public function execute()
     {
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
+
+        if (!$this->getRequest()->isPost()) {
+            throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
+        }
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $resultRedirect->setPath('*/*/forgotpassword');
+        }
+
         $email = (string)$this->getRequest()->getPost('email');
         if ($email) {
             $validator = new \Zend\Validator\EmailAddress();

app/code/Magento/Customer/Test/Unit/Controller/Account/ForgotPasswordPostTest.php

@@ -13,6 +13,7 @@
 use Magento\Framework\App\Request\Http as Request;
 use Magento\Framework\Controller\Result\Redirect as ResultRedirect;
 use Magento\Framework\Controller\Result\RedirectFactory as ResultRedirectFactory;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Escaper;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Message\ManagerInterface;
@@ -67,26 +68,42 @@ class ForgotPasswordPostTest extends \PHPUnit_Framework_TestCase
      */
     protected $messageManager;
 
+    /**
+     * @var Validator|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $formKeyValidatorMock;
+
     protected function setUp()
     {
         $this->prepareContext();
 
-        $this->session = $this->getMockBuilder('Magento\Customer\Model\Session')
+        $this->session = $this->getMockBuilder(\Magento\Customer\Model\Session::class)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->accountManagement = $this->getMockBuilder('Magento\Customer\Api\AccountManagementInterface')
+        $this->accountManagement = $this->getMockBuilder(\Magento\Customer\Api\AccountManagementInterface::class)
             ->getMockForAbstractClass();
 
-        $this->escaper = $this->getMockBuilder('Magento\Framework\Escaper')
+        $this->escaper = $this->getMockBuilder(\Magento\Framework\Escaper::class)
             ->disableOriginalConstructor()
             ->getMock();
+        $this->formKeyValidatorMock = $this->getMockBuilder(Validator::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['validate'])
+            ->getMock();
+
+        $this->request->expects($this->once())->method('isPost')->willReturn(true);
+        $this->formKeyValidatorMock->expects($this->once())
+            ->method('validate')
+            ->with($this->request)
+            ->willReturn(true);
 
         $this->controller = new ForgotPasswordPost(
             $this->context,
             $this->session,
             $this->accountManagement,
-            $this->escaper
+            $this->escaper,
+            $this->formKeyValidatorMock
         );
     }
 
@@ -212,26 +229,24 @@ public function testExecuteException()
 
     protected function prepareContext()
     {
-        $this->resultRedirect = $this->getMockBuilder('Magento\Framework\Controller\Result\Redirect')
+        $this->resultRedirect = $this->getMockBuilder(\Magento\Framework\Controller\Result\Redirect::class)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->resultRedirectFactory = $this->getMockBuilder('Magento\Framework\Controller\Result\RedirectFactory')
+        $this->resultRedirectFactory = $this->getMockBuilder(\Magento\Framework\Controller\Result\RedirectFactory::class)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->context = $this->getMockBuilder('Magento\Framework\App\Action\Context')
+        $this->context = $this->getMockBuilder(\Magento\Framework\App\Action\Context::class)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->request = $this->getMockBuilder('Magento\Framework\App\Request\Http')
+        $this->request = $this->getMockBuilder(\Magento\Framework\App\Request\Http::class)
             ->disableOriginalConstructor()
-            ->setMethods([
-                'getPost',
-            ])
+            ->setMethods(['getPost', 'isPost'])
             ->getMock();
 
-        $this->messageManager = $this->getMockBuilder('Magento\Framework\Message\ManagerInterface')
+        $this->messageManager = $this->getMockBuilder(\Magento\Framework\Message\ManagerInterface::class)
             ->getMockForAbstractClass();
 
         $this->resultRedirectFactory->expects($this->any())

app/code/Magento/Customer/view/frontend/templates/form/forgotpassword.phtml

@@ -25,6 +25,7 @@
         <?php echo $block->getChildHtml('form_additional_info'); ?>
     </fieldset>
     <div class="actions-toolbar">
+        <?php echo $block->getBlockHtml('formkey')?>
         <div class="primary">
             <button type="submit" class="action submit primary"><span><?php echo $block->escapeHtml(__('Reset My Password')) ?></span></button>
         </div>

app/code/Magento/Sales/Controller/Guest/View.php

@@ -6,6 +6,8 @@
 namespace Magento\Sales\Controller\Guest;
 
 use Magento\Framework\App\Action;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Sales\Helper\Guest as GuestHelper;
 use Magento\Framework\View\Result\PageFactory;
 use Magento\Framework\Controller\ResultInterface;
@@ -22,26 +24,42 @@ class View extends Action\Action
      */
     protected $resultPageFactory;
 
+    /**
+     * @var Validator
+     */
+    private $formKeyValidator;
+
     /**
      * @param \Magento\Framework\App\Action\Context $context
-     * @param \Magento\Sales\Helper\Guest $guestHelper
-     * @param \Magento\Framework\View\Result\PageFactory $resultPageFactory
+     * @param GuestHelper $guestHelper
+     * @param PageFactory $resultPageFactory
+     * @param Validator|null $formKeyValidator
      */
     public function __construct(
         Action\Context $context,
         GuestHelper $guestHelper,
-        PageFactory $resultPageFactory
+        PageFactory $resultPageFactory,
+        Validator $formKeyValidator = null
     ) {
         $this->guestHelper = $guestHelper;
         $this->resultPageFactory = $resultPageFactory;
+        $this->formKeyValidator = $formKeyValidator ?: ObjectManager::getInstance()->get(Validator::class);
         parent::__construct($context);
     }
 
     /**
      * @return \Magento\Framework\Controller\ResultInterface
+     * @throws \Magento\Framework\Exception\NotFoundException
      */
     public function execute()
     {
+        if (!$this->getRequest()->isPost()) {
+            throw new \Magento\Framework\Exception\NotFoundException(__('Page not found.'));
+        }
+        if (!$this->formKeyValidator->validate($this->getRequest())) {
+            return $this->resultRedirectFactory->create()->setPath('*/*/form/');
+        }
+
         $result = $this->guestHelper->loadValidOrder($this->getRequest());
         if ($result instanceof ResultInterface) {
             return $result;

app/code/Magento/Sales/Test/Unit/Controller/Guest/ViewTest.php

@@ -5,6 +5,7 @@
  */
 namespace Magento\Sales\Test\Unit\Controller\Guest;
 
+use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
 
 class ViewTest extends \PHPUnit_Framework_TestCase
@@ -49,40 +50,57 @@ class ViewTest extends \PHPUnit_Framework_TestCase
      */
     protected $resultPageMock;
 
+    /**
+     * @var Validator|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $formKeyValidatorMock;
+
     /**
      * @return void
      */
     protected function setUp()
     {
-        $this->requestMock = $this->getMockBuilder('Magento\Framework\App\RequestInterface')
-            ->getMock();
-        $this->guestHelperMock = $this->getMockBuilder('Magento\Sales\Helper\Guest')
+        $this->requestMock = $this->getMockBuilder(\Magento\Framework\App\RequestInterface::class)
+            ->setMethods(['isPost'])
+            ->getMockForAbstractClass();
+        $this->guestHelperMock = $this->getMockBuilder(\Magento\Sales\Helper\Guest::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $this->resultRedirectMock = $this->getMockBuilder('Magento\Framework\Controller\Result\Redirect')
+        $this->resultRedirectMock = $this->getMockBuilder(\Magento\Framework\Controller\Result\Redirect::class)
             ->disableOriginalConstructor()
             ->getMock();
-        $this->resultPageFactoryMock = $this->getMockBuilder('Magento\Framework\View\Result\PageFactory')
+        $this->resultPageFactoryMock = $this->getMockBuilder(\Magento\Framework\View\Result\PageFactory::class)
             ->disableOriginalConstructor()
             ->setMethods(['create'])
             ->getMock();
-        $this->resultPageMock = $this->getMockBuilder('Magento\Framework\View\Result\Page')
+        $this->resultPageMock = $this->getMockBuilder(\Magento\Framework\View\Result\Page::class)
             ->disableOriginalConstructor()
             ->getMock();
+        $this->formKeyValidatorMock = $this->getMockBuilder(Validator::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['validate'])
+            ->getMock();
+
+        $this->requestMock->expects($this->once())->method('isPost')->willReturn(true);
+        $this->formKeyValidatorMock->expects($this->once())
+            ->method('validate')
+            ->with($this->requestMock)
+            ->willReturn(true);
 
         $this->objectManagerHelper = new ObjectManagerHelper($this);
         $this->context = $this->objectManagerHelper->getObject(
-            'Magento\Framework\App\Action\Context',
+            \Magento\Framework\App\Action\Context::class,
             [
                 'request' => $this->requestMock
             ]
         );
         $this->viewController = $this->objectManagerHelper->getObject(
-            'Magento\Sales\Controller\Guest\View',
+            \Magento\Sales\Controller\Guest\View::class,
             [
                 'context' => $this->context,
                 'guestHelper' => $this->guestHelperMock,
-                'resultPageFactory' => $this->resultPageFactoryMock
+                'resultPageFactory' => $this->resultPageFactoryMock,
+                'formKeyValidator' => $this->formKeyValidatorMock,
             ]
         );
     }

app/code/Magento/Sales/view/frontend/templates/guest/form.phtml

@@ -56,6 +56,7 @@
         </div>
     </fieldset>
     <div class="actions-toolbar">
+        <?php echo $block->getBlockHtml('formkey')?>
         <div class="primary">
             <button type="submit" title="<?php /* @escapeNotVerified */ echo __('Continue') ?>" class="action submit primary">
                 <span><?php /* @escapeNotVerified */ echo __('Continue') ?></span>