MAGETWO-59090: [Github] Admin can't reset password for more than one customer #5260

Author: omiroshnichenko

app/code/Magento/Customer/Controller/Adminhtml/Index/ResetPassword.php

@@ -6,6 +6,7 @@
 namespace Magento\Customer\Controller\Adminhtml\Index;
 
 use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Framework\Exception\SecurityViolationException;
 
 class ResetPassword extends \Magento\Customer\Controller\Adminhtml\Index
 {
@@ -40,6 +41,8 @@ public function execute()
                 $messages = $exception->getMessage();
             }
             $this->_addSessionErrorMessages($messages);
+        } catch (SecurityViolationException $exception) {
+            $this->messageManager->addErrorMessage($exception->getMessage());
         } catch (\Exception $exception) {
             $this->messageManager->addException(
                 $exception,

app/code/Magento/Customer/Test/Unit/Controller/Adminhtml/Index/ResetPasswordTest.php

@@ -143,7 +143,7 @@ protected function setUp()
         $this->messageManager = $this->getMockBuilder(
             \Magento\Framework\Message\Manager::class
         )->disableOriginalConstructor()->setMethods(
-            ['addSuccess', 'addMessage', 'addException']
+            ['addSuccess', 'addMessage', 'addException', 'addErrorMessage']
         )->getMock();
 
         $this->resultRedirectFactoryMock = $this->getMockBuilder(
@@ -332,6 +332,56 @@ public function testResetPasswordActionCoreException()
         $this->_testedObject->execute();
     }
 
+    public function testResetPasswordActionSecurityException()
+    {
+        $securityText = 'Security violation.';
+        $exception = new \Magento\Framework\Exception\SecurityViolationException(__($securityText));
+        $customerId = 1;
+        $email = 'some@example.com';
+        $websiteId = 1;
+
+        $this->_request->expects(
+            $this->once()
+        )->method(
+            'getParam'
+        )->with(
+            $this->equalTo('customer_id'),
+            $this->equalTo(0)
+        )->will(
+            $this->returnValue($customerId)
+        );
+        $customer = $this->getMockForAbstractClass(
+            \Magento\Customer\Api\Data\CustomerInterface::class,
+            ['getId', 'getEmail', 'getWebsiteId']
+        );
+        $customer->expects($this->once())->method('getEmail')->will($this->returnValue($email));
+        $customer->expects($this->once())->method('getWebsiteId')->will($this->returnValue($websiteId));
+        $this->_customerRepositoryMock->expects(
+            $this->once()
+        )->method(
+            'getById'
+        )->with(
+            $customerId
+        )->will(
+            $this->returnValue($customer)
+        );
+        $this->_customerAccountManagementMock->expects(
+            $this->once()
+        )->method(
+            'initiatePasswordReset'
+        )->willThrowException($exception);
+
+        $this->messageManager->expects(
+            $this->once()
+        )->method(
+            'addErrorMessage'
+        )->with(
+            $this->equalTo($exception->getMessage())
+        );
+
+        $this->_testedObject->execute();
+    }
+
     public function testResetPasswordActionCoreExceptionWarn()
     {
         $warningText = 'Warning';

app/code/Magento/Security/Model/Plugin/AccountManagement.php

@@ -25,18 +25,26 @@ class AccountManagement
      */
     protected $securityManager;
 
+    /**
+     * @var int
+     */
+    protected $passwordRequestEvent;
+
     /**
      * AccountManagement constructor.
      *
      * @param \Magento\Framework\App\RequestInterface $request
      * @param SecurityManager $securityManager
+     * @param int $passwordRequestEvent
      */
     public function __construct(
         \Magento\Framework\App\RequestInterface $request,
-        \Magento\Security\Model\SecurityManager $securityManager
+        \Magento\Security\Model\SecurityManager $securityManager,
+        $passwordRequestEvent = PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST
     ) {
         $this->request = $request;
         $this->securityManager = $securityManager;
+        $this->passwordRequestEvent = $passwordRequestEvent;
     }
 
     /**
@@ -56,7 +64,7 @@ public function beforeInitiatePasswordReset(
         $websiteId = null
     ) {
         $this->securityManager->performSecurityCheck(
-            PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST,
+            $this->passwordRequestEvent,
             $email
         );
         return [$email, $template, $websiteId];

app/code/Magento/Security/etc/adminhtml/di.xml

@@ -15,6 +15,11 @@
     <type name="Magento\Backend\Controller\Adminhtml\Auth\Login">
         <plugin name="security_login_form" type="Magento\Security\Model\Plugin\LoginController" />
     </type>
+    <type name="Magento\Security\Model\Plugin\AccountManagement">
+        <arguments>
+            <argument name="passwordRequestEvent" xsi:type="const">Magento\Security\Model\PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST</argument>
+        </arguments>
+    </type>
     <type name="Magento\Security\Model\SecurityManager">
         <arguments>
             <argument name="securityCheckers" xsi:type="array">

dev/tests/integration/testsuite/Magento/Customer/Controller/Adminhtml/Index/ResetPasswordTest.php

@@ -0,0 +1,88 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Customer\Controller\Adminhtml\Index;
+
+/**
+ * ResetPassword controller test.
+ *
+ * @magentoAppArea adminhtml
+ */
+class ResetPasswordTest extends \Magento\TestFramework\TestCase\AbstractBackendController
+{
+    /**
+     * Base controller URL
+     *
+     * @var string
+     */
+    protected $baseControllerUrl = 'http://localhost/index.php/backend/customer/index/';
+
+    /**
+     * Checks reset password functionality with default settings and customer reset request event.
+     *
+     * @magentoConfigFixture current_store admin/security/limit_password_reset_requests_method 1
+     * @magentoConfigFixture current_store admin/security/min_time_between_password_reset_requests 10
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     */
+    public function testResetPasswordSuccess()
+    {
+        $this->passwordResetRequestEventCreate(
+            \Magento\Security\Model\PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST
+        );
+        $this->getRequest()->setPostValue(['customer_id' => '1']);
+        $this->dispatch('backend/customer/index/resetPassword');
+        $this->assertSessionMessages(
+            $this->equalTo(['The customer will receive an email with a link to reset password.']),
+            \Magento\Framework\Message\MessageInterface::TYPE_SUCCESS
+        );
+        $this->assertRedirect($this->stringStartsWith($this->baseControllerUrl . 'edit'));
+    }
+
+    /**
+     * Checks reset password functionality with default settings, customer and admin reset request events.
+     *
+     * @magentoConfigFixture current_store admin/security/limit_password_reset_requests_method 1
+     * @magentoConfigFixture current_store admin/security/min_time_between_password_reset_requests 10
+     * @magentoConfigFixture current_store contact/email/recipient_email hello@example.com
+     * @magentoDataFixture Magento/Customer/_files/customer.php
+     */
+    public function testResetPasswordWithSecurityViolationException()
+    {
+        $this->passwordResetRequestEventCreate(
+            \Magento\Security\Model\PasswordResetRequestEvent::CUSTOMER_PASSWORD_RESET_REQUEST
+        );
+        $this->passwordResetRequestEventCreate(
+            \Magento\Security\Model\PasswordResetRequestEvent::ADMIN_PASSWORD_RESET_REQUEST
+        );
+        $this->getRequest()->setPostValue(['customer_id' => '1']);
+        $this->dispatch('backend/customer/index/resetPassword');
+        $this->assertSessionMessages(
+            $this->equalTo(
+                ['Too many password reset requests. Please wait and try again or contact hello@example.com.']
+            ),
+            \Magento\Framework\Message\MessageInterface::TYPE_ERROR
+        );
+        $this->assertRedirect($this->stringStartsWith($this->baseControllerUrl . 'edit'));
+    }
+
+    /**
+     * Create and save reset request event with provided request type.
+     *
+     * @param int $requestType
+     */
+    private function passwordResetRequestEventCreate($requestType)
+    {
+        $passwordResetRequestEventFactory = $this->_objectManager->get(
+            \Magento\Security\Model\PasswordResetRequestEventFactory::class
+        );
+        $passwordResetRequestEvent = $passwordResetRequestEventFactory->create();
+        $passwordResetRequestEvent
+            ->setRequestType($requestType)
+            ->setAccountReference('customer@example.com')
+            ->setCreatedAt(strtotime('now'))
+            ->setIp('3232249856')
+            ->save();
+    }
+}