MAGETWO-55849: Customer can be deleted without Merchant permissions verification

Author: RuslanKostiv1

app/code/Magento/User/Block/User/Edit.php

@@ -50,7 +50,7 @@ protected function _construct()
         $this->buttonList->update('save', 'label', __('Save User'));
         $this->buttonList->remove('delete');
 
-        $objId = $this->getRequest()->getParam($this->_objectId);
+        $objId = (int)$this->getRequest()->getParam($this->_objectId);
 
         if (!empty($objId)) {
             $this->addButton(
@@ -59,10 +59,10 @@ protected function _construct()
                     'label' => __('Delete User'),
                     'class' => 'delete',
                     'onclick' => sprintf(
-                        'deleteConfirm("%s", "%s", %s)',
+                        'deleteUserAccount("%s", "%s", %s)',
                         __('Are you sure you want to do this?'),
                         $this->getUrl('adminhtml/*/delete'),
-                        json_encode(['data' => ['user_id' => $objId]])
+                        $objId
                     ),
                 ]
             );

app/code/Magento/User/Controller/Adminhtml/User/Delete.php

@@ -6,22 +6,32 @@
  */
 namespace Magento\User\Controller\Adminhtml\User;
 
+use Magento\User\Block\User\Edit\Tab\Main as UserEdit;
+use Magento\Framework\Exception\AuthenticationException;
+
 class Delete extends \Magento\User\Controller\Adminhtml\User
 {
     /**
      * @return void
      */
     public function execute()
     {
+        /** @var \Magento\User\Model\User */
         $currentUser = $this->_objectManager->get(\Magento\Backend\Model\Auth\Session::class)->getUser();
         $userId = (int)$this->getRequest()->getPost('user_id');
+
         if ($userId) {
             if ($currentUser->getId() == $userId) {
                 $this->messageManager->addError(__('You cannot delete your own account.'));
                 $this->_redirect('adminhtml/*/edit', ['user_id' => $userId]);
                 return;
             }
             try {
+                $currentUserPassword = (string)$this->getRequest()->getPost(UserEdit::CURRENT_USER_PASSWORD_FIELD);
+                if (empty($currentUserPassword)) {
+                    throw new AuthenticationException(__('You have entered an invalid password for current user.'));
+                }
+                $currentUser->performIdentityCheck($currentUserPassword);
                 /** @var \Magento\User\Model\User $model */
                 $model = $this->_userFactory->create();
                 $model->setId($userId);

app/code/Magento/User/Test/Unit/Controller/Adminhtml/User/DeleteTest.php

@@ -0,0 +1,225 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\User\Test\Unit\Controller\Adminhtml\User;
+
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+use Magento\User\Block\User\Edit\Tab\Main as UserEdit;
+use Magento\Backend\Model\Auth\Session as Session;
+use Magento\Framework\Exception\AuthenticationException;
+
+/**
+ * Test class for \Magento\User\Controller\Adminhtml\User\Delete testing
+ *
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
+class DeleteTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var \Magento\User\Controller\Adminhtml\User\Delete
+     */
+    private $controller;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\App\RequestInterface
+     */
+    private $requestMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\App\ResponseInterface
+     */
+    private $responseMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|Session
+     */
+    private $authSessionMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\ObjectManagerInterface
+     */
+    private $objectManagerMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\User\Model\UserFactory
+     */
+    private $userFactoryMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\User\Model\User
+     */
+    private $userMock;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\Message\ManagerInterface
+     */
+    private $messageManagerMock;
+
+    /**
+     * @return void
+     */
+    protected function setUp()
+    {
+        $this->objectManagerMock = $this->getMockBuilder(\Magento\Framework\ObjectManager\ObjectManager::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['get', 'create'])
+            ->getMock();
+
+        $this->responseMock = $this->getMockBuilder(\Magento\Framework\App\ResponseInterface::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['setRedirect'])
+            ->getMockForAbstractClass();
+
+        $this->requestMock = $this->getMockBuilder(\Magento\Framework\App\RequestInterface::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getPost'])
+            ->getMockForAbstractClass();
+
+        $this->authSessionMock = $this->getMockBuilder(Session::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getUser'])
+            ->getMock();
+
+        $this->userMock = $this->getMockBuilder(\Magento\User\Model\User::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getId', 'performIdentityCheck', 'delete'])
+            ->getMock();
+
+        $this->userFactoryMock = $this->getMockBuilder(\Magento\User\Model\UserFactory::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['create'])
+            ->getMock();
+
+        $this->messageManagerMock = $this->getMockBuilder(\Magento\Framework\Message\ManagerInterface::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $objectManager = new ObjectManagerHelper($this);
+        $context = $objectManager->getObject(
+            \Magento\Backend\App\Action\Context::class,
+            [
+                'request'        => $this->requestMock,
+                'response'       => $this->responseMock,
+                'objectManager'  => $this->objectManagerMock,
+                'messageManager' => $this->messageManagerMock,
+            ]
+        );
+
+        $this->controller = $objectManager->getObject(
+            \Magento\User\Controller\Adminhtml\User\Delete::class,
+            [
+                'context'      => $context,
+                'userFactory'  => $this->userFactoryMock,
+            ]
+        );
+    }
+
+    /**
+     * Test method \Magento\User\Controller\Adminhtml\User\Delete::execute
+     *
+     * @param string $currentUserPassword
+     * @param int    $userId
+     * @param int    $currentUserId
+     * @param string $resultMethod
+     *
+     * @dataProvider executeDataProvider
+     * @return void
+     *
+     */
+    public function testExecute($currentUserPassword, $userId, $currentUserId, $resultMethod)
+    {
+        $currentUserMock = $this->userMock;
+        $this->authSessionMock->expects($this->any())->method('getUser')->will($this->returnValue($currentUserMock));
+
+        $currentUserMock->expects($this->any())->method('getId')->willReturn($currentUserId);
+
+        $this->objectManagerMock
+            ->expects($this->any())
+            ->method('get')
+            ->with(Session::class)
+            ->willReturn($this->authSessionMock);
+
+        $this->requestMock->expects($this->any())
+            ->method('getPost')
+            ->willReturnMap([
+                ['user_id', $userId],
+                [UserEdit::CURRENT_USER_PASSWORD_FIELD, $currentUserPassword],
+            ]);
+
+        $userMock = clone $currentUserMock;
+
+        $this->userFactoryMock->expects($this->any())->method('create')->will($this->returnValue($userMock));
+        $this->responseMock->expects($this->any())->method('setRedirect')->willReturnSelf();
+        $this->userMock->expects($this->any())->method('delete')->willReturnSelf();
+        $this->messageManagerMock->expects($this->once())->method($resultMethod);
+
+        $this->controller->execute();
+    }
+
+    /**
+     * @return void
+     */
+    public function testEmptyPasswordThrowsException()
+    {
+        try {
+            $currentUserId = 1;
+            $userId = 2;
+
+            $currentUserMock = $this->userMock;
+            $this->authSessionMock->expects($this->any())
+                ->method('getUser')
+                ->will($this->returnValue($currentUserMock));
+
+            $currentUserMock->expects($this->any())->method('getId')->willReturn($currentUserId);
+
+            $this->objectManagerMock
+                ->expects($this->any())
+                ->method('get')
+                ->with(Session::class)
+                ->willReturn($this->authSessionMock);
+
+            $this->requestMock->expects($this->any())
+                ->method('getPost')
+                ->willReturnMap([
+                    ['user_id', $userId],
+                    [UserEdit::CURRENT_USER_PASSWORD_FIELD, ''],
+                ]);
+
+            $this->controller->execute();
+        } catch (AuthenticationException $e) {
+            $this->assertEquals($e->getMessage(), 'You have entered an invalid password for current user.');
+        }
+    }
+
+    /**
+     * Data Provider for execute method
+     *
+     * @return array
+     */
+    public function executeDataProvider()
+    {
+        return [
+            [
+                'currentUserPassword' => '123123q',
+                'userId'              => 1,
+                'currentUserId'       => 2,
+                'resultMethod'        => 'addSuccess',
+            ],
+            [
+                'currentUserPassword' => '123123q',
+                'userId'              => 0,
+                'currentUserId'       => 2,
+                'resultMethod'        => 'addError',
+            ],
+            [
+                'currentUserPassword' => '123123q',
+                'userId'              => 1,
+                'currentUserId'       => 1,
+                'resultMethod'        => 'addError',
+            ],
+        ];
+    }
+}

app/code/Magento/User/view/adminhtml/templates/user/roles_grid_js.phtml

@@ -70,4 +70,13 @@ require([
 <?php endif; ?>
 
 });
+    function deleteUserAccount(message, url, objId) {
+        if (jQuery.validator.validateElement(jQuery('[name="current_password"]'))) {
+            postData = {'data' : {
+                'user_id': objId,
+                'current_password': jQuery('[name="current_password"]').val()
+            }}
+            deleteConfirm(message, url, postData);
+        }
+    }
 </script>

dev/tests/functional/tests/app/Magento/User/Test/Repository/User.xml

@@ -41,5 +41,9 @@
             <field name="current_password" xsi:type="string">%current_password%</field>
             <field name="is_active" xsi:type="string">Active</field>
         </dataset>
+
+        <dataset name="system_admin">
+            <field name="current_password" xsi:type="string">123123q</field>
+        </dataset>
     </repository>
 </config>

dev/tests/functional/tests/app/Magento/User/Test/TestCase/DeleteAdminUserEntityTest.php

@@ -101,11 +101,13 @@ public function __inject(
      *
      * @param User $user
      * @param string $isDefaultUser
+     * @param User $systemAdmin
      * @return void
      */
     public function testDeleteAdminUserEntity(
         User $user,
-        $isDefaultUser
+        $isDefaultUser,
+        User $systemAdmin = null
     ) {
         $filter = [
             'username' => $user->getUsername(),
@@ -118,6 +120,7 @@ public function testDeleteAdminUserEntity(
         }
         $this->userIndex->open();
         $this->userIndex->getUserGrid()->searchAndOpen($filter);
+        $this->userEdit->getUserForm()->fill($systemAdmin);
         $this->userEdit->getPageActions()->delete();
         $this->userEdit->getModalBlock()->acceptAlert();
     }

dev/tests/functional/tests/app/Magento/User/Test/TestCase/DeleteAdminUserEntityTest.xml

@@ -9,11 +9,13 @@
     <testCase name="Magento\User\Test\TestCase\DeleteAdminUserEntityTest" summary="Delete Admin User" ticketId="MAGETWO-23416">
         <variation name="DeleteAdminUserEntityTestVariation1">
             <data name="isDefaultUser" xsi:type="string">0</data>
+            <data name="systemAdmin/dataset" xsi:type="string">system_admin</data>
             <constraint name="Magento\User\Test\Constraint\AssertImpossibleDeleteYourOwnAccount" />
             <constraint name="Magento\User\Test\Constraint\AssertUserInGrid" />
         </variation>
         <variation name="DeleteAdminUserEntityTestVariation2">
             <data name="isDefaultUser" xsi:type="string">1</data>
+            <data name="systemAdmin/dataset" xsi:type="string">system_admin</data>
             <constraint name="Magento\User\Test\Constraint\AssertUserSuccessDeleteMessage" />
             <constraint name="Magento\User\Test\Constraint\AssertUserNotInGrid" />
         </variation>