Merge branch '2.4.5-develop' into 2.4.5-develop-2.4-develop-sync-05172022

Author: dvoskoboinikov

app/code/Magento/Checkout/Controller/Sidebar/UpdateItemQty.php

@@ -3,19 +3,25 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Checkout\Controller\Sidebar;
 
 use Magento\Checkout\Model\Cart\RequestQuantityProcessor;
 use Magento\Checkout\Model\Sidebar;
 use Magento\Framework\App\Action\Action;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\App\Response\Http;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Json\Helper\Data;
 use Psr\Log\LoggerInterface;
 
-class UpdateItemQty extends Action
+/**
+ * Class used to update item quantity.
+ */
+class UpdateItemQty extends Action implements HttpPostActionInterface
 {
     /**
      * @var Sidebar
@@ -61,12 +67,18 @@ public function __construct(
     }
 
     /**
+     * Action for Quantity update
+     *
      * @return $this
      */
     public function execute()
     {
         $itemId = (int)$this->getRequest()->getParam('item_id');
-        $itemQty = $this->getRequest()->getParam('item_qty') * 1;
+        $itemQty = (int)$this->getRequest()->getParam('item_qty');
+
+        if ($itemQty <= 0) {
+            return  $this->jsonResponse(__('Invalid Item Quantity Requested.'));
+        }
         $itemQty = $this->quantityProcessor->prepareQuantity($itemQty);
 
         try {

app/code/Magento/Checkout/Model/DefaultConfigProvider.php

@@ -31,6 +31,7 @@
 use Magento\Quote\Model\QuoteIdMaskFactory;
 use Magento\Store\Model\ScopeInterface;
 use Magento\Ui\Component\Form\Element\Multiline;
+use Magento\Framework\Escaper;
 
 /**
  * Default Config Provider for checkout
@@ -191,6 +192,11 @@ class DefaultConfigProvider implements ConfigProviderInterface
      */
     private $configPostProcessor;
 
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * @param CheckoutHelper $checkoutHelper
      * @param Session $checkoutSession
@@ -222,6 +228,7 @@ class DefaultConfigProvider implements ConfigProviderInterface
      * @param AddressMetadataInterface $addressMetadata
      * @param AttributeOptionManagementInterface $attributeOptionManager
      * @param CustomerAddressDataProvider|null $customerAddressData
+     * @param Escaper|null $escaper
      * @codeCoverageIgnore
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -255,7 +262,8 @@ public function __construct(
         CaptchaConfigPostProcessorInterface $configPostProcessor,
         AddressMetadataInterface $addressMetadata = null,
         AttributeOptionManagementInterface $attributeOptionManager = null,
-        CustomerAddressDataProvider $customerAddressData = null
+        CustomerAddressDataProvider $customerAddressData = null,
+        Escaper $escaper = null
     ) {
         $this->checkoutHelper = $checkoutHelper;
         $this->checkoutSession = $checkoutSession;
@@ -289,6 +297,7 @@ public function __construct(
         $this->customerAddressData = $customerAddressData ?:
             ObjectManager::getInstance()->get(CustomerAddressDataProvider::class);
         $this->configPostProcessor = $configPostProcessor;
+        $this->escaper = $escaper ?? ObjectManager::getInstance()->get(Escaper::class);
     }
 
     /**
@@ -343,6 +352,7 @@ public function getConfig()
             'shipping/shipping_policy/shipping_policy_content',
             ScopeInterface::SCOPE_STORE
         );
+        $policyContent = $this->escaper->escapeHtml($policyContent);
         $output['shippingPolicy'] = [
             'isEnabled' => $this->scopeConfig->isSetFlag(
                 'shipping/shipping_policy/enable_shipping_policy',

app/code/Magento/Checkout/Test/Unit/Controller/Sidebar/UpdateItemQtyTest.php

@@ -19,6 +19,9 @@
 use PHPUnit\Framework\TestCase;
 use Psr\Log\LoggerInterface;
 
+/**
+ * Class used to execute test cases for update item quantity
+ */
 class UpdateItemQtyTest extends TestCase
 {
     /**
@@ -244,4 +247,36 @@ public function testExecuteWithException(): void
 
         $this->assertEquals('json represented', $this->updateItemQty->execute());
     }
+
+    /**
+     * @return void
+     */
+    public function testExecuteWithInvalidItemQty(): void
+    {
+        $error = [
+            'success' => false,
+            'error_message' => 'Invalid Item Quantity Requested.'
+        ];
+        $jsonResult = json_encode($error);
+        $this->requestMock
+            ->method('getParam')
+            ->withConsecutive(['item_id', null], ['item_qty', null])
+            ->willReturnOnConsecutiveCalls('1', '{{7+2}}');
+
+        $this->sidebarMock->expects($this->once())
+            ->method('getResponseData')
+            ->with('Invalid Item Quantity Requested.')
+            ->willReturn($error);
+
+        $this->jsonHelperMock->expects($this->once())
+            ->method('jsonEncode')
+            ->with($error)
+            ->willReturn($jsonResult);
+
+        $this->responseMock->expects($this->once())
+            ->method('representJson')
+            ->willReturn($jsonResult);
+
+        $this->assertEquals($jsonResult, $this->updateItemQty->execute());
+    }
 }

app/code/Magento/Checkout/i18n/en_US.csv

@@ -186,3 +186,4 @@ Payment,Payment
 "Show Cross-sell Items in the Shopping Cart","Show Cross-sell Items in the Shopping Cart"
 "You added %1 to your <a href=""%2"">shopping cart</a>.","You added %1 to your <a href=""%2"">shopping cart</a>."
 "The shipping method is missing. Select the shipping method and try again.","The shipping method is missing. Select the shipping method and try again."
+"Invalid Item Quantity Requested.","Invalid Item Quantity Requested."

app/code/Magento/Customer/Controller/Account/Confirmation.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Customer\Controller\Account;
 
 use Magento\Customer\Api\AccountManagementInterface;
@@ -13,22 +15,26 @@
 use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
 use Magento\Framework\App\Action\Context;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Controller\Result\Redirect;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Exception\State\InvalidTransitionException;
+use Magento\Framework\View\Result\Page;
 use Magento\Framework\View\Result\PageFactory;
 use Magento\Store\Model\StoreManagerInterface;
 
 /**
- * Class Confirmation. Send confirmation link to specified email
+ * Send confirmation link to specified email
  */
 class Confirmation extends AbstractAccount implements HttpGetActionInterface, HttpPostActionInterface
 {
     /**
-     * @var \Magento\Store\Model\StoreManagerInterface
+     * @var StoreManagerInterface
      */
     protected $storeManager;
 
     /**
-     * @var \Magento\Customer\Api\AccountManagementInterface
+     * @var AccountManagementInterface
      */
     protected $customerAccountManagement;
 
@@ -53,7 +59,7 @@ class Confirmation extends AbstractAccount implements HttpGetActionInterface, Ht
      * @param PageFactory $resultPageFactory
      * @param StoreManagerInterface $storeManager
      * @param AccountManagementInterface $customerAccountManagement
-     * @param Url $customerUrl
+     * @param Url|null $customerUrl
      */
     public function __construct(
         Context $context,
@@ -74,48 +80,52 @@ public function __construct(
     /**
      * Send confirmation link to specified email
      *
-     * @return \Magento\Framework\Controller\Result\Redirect|\Magento\Framework\View\Result\Page
+     * @return Redirect|Page
+     * @throws LocalizedException
      */
     public function execute()
     {
         if ($this->session->isLoggedIn()) {
-            /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
-            $resultRedirect = $this->resultRedirectFactory->create();
-            $resultRedirect->setPath('*/*/');
-            return $resultRedirect;
+            return $this->getRedirect('*/*/');
         }
 
-        // try to confirm by email
         $email = $this->getRequest()->getPost('email');
-        if ($email) {
-            /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
-            $resultRedirect = $this->resultRedirectFactory->create();
 
+        if ($email) {
             try {
                 $this->customerAccountManagement->resendConfirmation(
                     $email,
                     $this->storeManager->getStore()->getWebsiteId()
                 );
                 $this->messageManager->addSuccessMessage(__('Please check your email for confirmation key.'));
+                return $this->getRedirect('*/*/index', ['_secure' => true]);
             } catch (InvalidTransitionException $e) {
                 $this->messageManager->addSuccessMessage(__('This email does not require confirmation.'));
-            } catch (\Exception $e) {
-                $this->messageManager->addExceptionMessage($e, __('Wrong email.'));
-                $resultRedirect->setPath('*/*/*', ['email' => $email, '_secure' => true]);
-                return $resultRedirect;
+                return $this->getRedirect('*/*/index', ['_secure' => true]);
+            } catch (NoSuchEntityException $e) {
+                $this->messageManager->addErrorMessage(__('Wrong email.'));
             }
-            $this->session->setUsername($email);
-            $resultRedirect->setPath('*/*/index', ['_secure' => true]);
-            return $resultRedirect;
         }
 
-        /** @var \Magento\Framework\View\Result\Page $resultPage */
         $resultPage = $this->resultPageFactory->create();
-        $resultPage->getLayout()->getBlock('accountConfirmation')->setEmail(
-            $this->getRequest()->getParam('email', $email)
-        )->setLoginUrl(
-            $this->customerUrl->getLoginUrl()
-        );
+        $resultPage->getLayout()->getBlock('accountConfirmation')
+            ->setEmail($email)
+            ->setLoginUrl($this->customerUrl->getLoginUrl());
         return $resultPage;
     }
+
+    /**
+     * Returns redirect object
+     *
+     * @param string $path
+     * @param array $params
+     * @return Redirect
+     */
+    private function getRedirect(string $path, array $params = []): Redirect
+    {
+        $resultRedirect = $this->resultRedirectFactory->create();
+        $resultRedirect->setPath($path, $params);
+
+        return $resultRedirect;
+    }
 }

app/code/Magento/Customer/Model/Plugin/UpdateCustomer.php

@@ -11,6 +11,8 @@
 use Magento\Framework\Webapi\Rest\Request as RestRequest;
 use Magento\Customer\Api\Data\CustomerInterface;
 use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Update customer by id from request param
@@ -22,12 +24,19 @@ class UpdateCustomer
      */
     private $request;
 
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
     /**
      * @param RestRequest $request
+     * @param UserContextInterface|null $userContext
      */
-    public function __construct(RestRequest $request)
+    public function __construct(RestRequest $request, ?UserContextInterface $userContext = null)
     {
         $this->request = $request;
+        $this->userContext = $userContext ?? ObjectManager::getInstance()->get(UserContextInterface::class);
     }
 
     /**
@@ -43,10 +52,14 @@ public function beforeSave(
         CustomerInterface $customer,
         ?string $passwordHash = null
     ): array {
-        $customerId = $this->request->getParam('customerId');
+        $customerSessionId = $this->userContext->getUserType() === $this->userContext::USER_TYPE_CUSTOMER ?
+                             (int)$this->userContext->getUserId() : 0;
+        $customerId = (int)$this->request->getParam('customerId');
         $bodyParams = $this->request->getBodyParams();
         if (!isset($bodyParams['customer']['Id']) && $customerId) {
-            $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
+            if ($customerId === $customerSessionId || $customerSessionId === 0) {
+                $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
+            }
         }
 
         return [$customer, $passwordHash];

app/code/Magento/Quote/Plugin/Webapi/Controller/Rest/ValidateQuoteData.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+namespace Magento\Quote\Plugin\Webapi\Controller\Rest;
+
+use Magento\Webapi\Controller\Rest\ParamsOverrider;
+
+/**
+ * Validates Quote Data
+ */
+class ValidateQuoteData
+{
+    private const QUOTE_KEY = 'quote';
+
+    /**
+     * Before Overriding to validate data
+     *
+     * @param ParamsOverrider $subject
+     * @param array $inputData
+     * @param array $parameters
+     * @return array[]
+     *
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+
+    public function beforeOverride(ParamsOverrider $subject, array $inputData, array $parameters): array
+    {
+        if (isset($inputData[self:: QUOTE_KEY])) {
+            $inputData[self:: QUOTE_KEY] = $this->validateInputData($inputData[self:: QUOTE_KEY]);
+        };
+        return [$inputData, $parameters];
+    }
+
+    /**
+     * Validates InputData
+     *
+     * @param array $inputData
+     * @return array
+     */
+    private function validateInputData(array $inputData): array
+    {
+        $result = [];
+
+        $data = array_filter($inputData, function ($k) use (&$result) {
+            $key = is_string($k) ? strtolower($k) : $k;
+            return !isset($result[$key]) && ($result[$key] = true);
+        }, ARRAY_FILTER_USE_KEY);
+
+        return array_map(function ($value) {
+            return is_array($value) ? $this->validateInputData($value) : $value;
+        }, $data);
+    }
+}