AC-13757: Order cancellation reason validation

Author: mrprabhu92

app/code/Magento/OrderCancellationGraphQl/Model/Validator/ValidateOrderCancellationReason.php

@@ -0,0 +1,61 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ */
+declare(strict_types=1);
+
+namespace Magento\OrderCancellationGraphQl\Model\Validator;
+
+use Magento\OrderCancellation\Model\Config\Config;
+use Magento\Sales\Model\Order;
+
+/**
+ * Validate cancellation reason of order
+ */
+class ValidateOrderCancellationReason
+{
+    /**
+     * @var Config $config
+     */
+    private Config $config;
+
+    /**
+     * ValidateOrderCancellationReason Constructor
+     *
+     * @param Config $config
+     */
+    public function __construct(
+        Config $config
+    ) {
+        $this->config = $config;
+    }
+
+    /**
+     * Validate cancellation reason
+     *
+     * @param Order $order
+     * @param string $reason
+     * @return bool
+     */
+    public function validateReason(
+        Order $order,
+        string $reason
+    ): bool {
+        $cancellationReasons = array_map(
+            'strtolower',
+            $this->config->getCancellationReasons($order->getStore())
+        );
+
+        return !in_array(strtolower(trim($reason)), $cancellationReasons);
+    }
+}

app/code/Magento/OrderCancellationGraphQl/Plugin/Model/CancelOrder.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ */
+declare(strict_types=1);
+
+namespace Magento\OrderCancellationGraphQl\Plugin\Model;
+
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\OrderCancellationGraphQl\Model\Validator\ValidateOrderCancellationReason;
+use Magento\Sales\Model\Order;
+use Magento\OrderCancellation\Model\CancelOrder as Subject;
+
+/**
+ * Plugin for cancel order model
+ */
+class CancelOrder
+{
+    /**
+     * @var ValidateOrderCancellationReason $validateOrderCancellationReason
+     */
+    private ValidateOrderCancellationReason $validateOrderCancellationReason;
+
+    /**
+     * @param ValidateOrderCancellationReason $validateOrderCancellationReason
+     */
+    public function __construct(
+        ValidateOrderCancellationReason $validateOrderCancellationReason
+    ) {
+        $this->validateOrderCancellationReason = $validateOrderCancellationReason;
+    }
+
+    /**
+     * Before plugin for reason validation
+     *
+     * @param Subject $subject
+     * @param Order $order
+     * @param string $reason
+     * @return array
+     * @throws GraphQlInputException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeExecute(
+        Subject $subject,
+        Order $order,
+        string $reason
+    ) {
+        if (!empty($reason)) {
+            if ($this->validateOrderCancellationReason->validateReason($order, $reason)) {
+                throw new GraphQlInputException(__('Order cancellation reason is invalid.'));
+            }
+        }
+
+        return [$order, $reason];
+    }
+}

app/code/Magento/OrderCancellationGraphQl/Plugin/Model/CancelOrderGuest.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ */
+declare(strict_types=1);
+
+namespace Magento\OrderCancellationGraphQl\Plugin\Model;
+
+use Magento\Framework\GraphQl\Exception\GraphQlInputException;
+use Magento\OrderCancellationGraphQl\Model\Validator\ValidateOrderCancellationReason;
+use Magento\Sales\Model\Order;
+use Magento\OrderCancellationGraphQl\Model\CancelOrderGuest as Subject;
+
+/**
+ * Plugin for guest cancel order model
+ */
+class CancelOrderGuest
+{
+    /**
+     * @var ValidateOrderCancellationReason $validateOrderCancellationReason
+     */
+    private ValidateOrderCancellationReason $validateOrderCancellationReason;
+
+    /**
+     * @param ValidateOrderCancellationReason $validateOrderCancellationReason
+     */
+    public function __construct(
+        ValidateOrderCancellationReason $validateOrderCancellationReason
+    ) {
+        $this->validateOrderCancellationReason = $validateOrderCancellationReason;
+    }
+
+    /**
+     * Before plugin for reason validation
+     *
+     * @param Subject $subject
+     * @param Order $order
+     * @param array $input
+     * @return array
+     * @throws GraphQlInputException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeExecute(
+        Subject $subject,
+        Order $order,
+        array $input
+    ) {
+        if (!empty($input['reason'])) {
+            if ($this->validateOrderCancellationReason->validateReason($order, $input['reason'])) {
+                throw new GraphQlInputException(__('Order cancellation reason is invalid.'));
+            }
+        }
+
+        return [$order, $input];
+    }
+}

app/code/Magento/OrderCancellationGraphQl/etc/graphql/di.xml

@@ -1,8 +1,17 @@
 <?xml version="1.0"?>
 <!--
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
  */
 -->
 <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
@@ -34,4 +43,10 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\OrderCancellation\Model\CancelOrder">
+        <plugin name="validateCancelOrderReason" type="Magento\OrderCancellationGraphQl\Plugin\Model\CancelOrder"/>
+    </type>
+    <type name="Magento\OrderCancellationGraphQl\Model\CancelOrderGuest">
+        <plugin name="validateCancelGuestOrderReason" type="Magento\OrderCancellationGraphQl\Plugin\Model\CancelOrderGuest"/>
+    </type>
 </config>

app/code/Magento/OrderCancellationGraphQl/i18n/en_US.csv

@@ -1,3 +1,4 @@
 "Confirm Your %store_name Order Cancellation","Confirm Your %store_name Order Cancellation"
 "It seems that you'd like to cancel your order #%order_id. If this is correct, please <a href=""%url_to_confirm"">click here</a> to confirm your cancellation request.","It seems that you'd like to cancel your order #%order_id. If this is correct, please <a href=""%url_to_confirm"">click here</a> to confirm your cancellation request."
+"Order cancellation reason is invalid.","Order cancellation reason is invalid."
 

dev/tests/api-functional/testsuite/Magento/GraphQl/OrderCancellation/CancelGuestOrderTest.php

@@ -77,7 +77,7 @@ public function testAttemptToCancelOrderWhenMissingToken()
         mutation {
             requestGuestOrderCancel(
               input: {
-                reason: "Cancel sample reason"
+                reason: "Other"
               }
             ){
                 error
@@ -127,7 +127,7 @@ public function testAttemptToCancelOrderWithInvalidToken()
             requestGuestOrderCancel(
               input: {
                 token: "TestToken"
-                reason: "Cancel sample reason"
+                reason: "Other"
               }
             ){
                 error
@@ -451,7 +451,7 @@ private function getMutation(OrderInterface $order): string
             requestGuestOrderCancel(
               input: {
                 token: "{$this->getOrderToken($order)}",
-                reason: "Sample reason"
+                reason: "Other"
               }
             ){
                 errorV2 {

dev/tests/api-functional/testsuite/Magento/GraphQl/OrderCancellation/CancelOrderTest.php

@@ -1,7 +1,16 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
  */
 declare(strict_types=1);
 
@@ -186,7 +195,7 @@ public function testAttemptToCancelOrderWhenMissingOrderId()
         mutation {
             cancelOrder(
               input: {
-                reason: "Cancel sample reason"
+                reason: "Other"
               }
             ){
                 error
@@ -224,7 +233,7 @@ public function testAttemptToCancelNonExistingOrder()
             cancelOrder(
               input: {
                 order_id: 99999999,
-                reason: "Cancel sample reason"
+                reason: "Other"
               }
             ){
                 error
@@ -622,7 +631,7 @@ public function testCancelOrderWithOutAnyAmountPaid()
         $this->assertEquals("Order cancellation notification email was sent.", $comment->getComment());
 
         $comment = array_pop($comments);
-        $this->assertEquals('Cancel sample reason', $comment->getComment());
+        $this->assertEquals('Other', $comment->getComment());
         $this->assertEquals('canceled', $comment->getStatus());
     }
 
@@ -672,7 +681,7 @@ public function testCancelOrderWithOfflinePaymentFullyInvoiced()
         $this->assertEquals("Order cancellation notification email was sent.", $comment->getComment());
 
         $comment = array_pop($comments);
-        $this->assertEquals('Cancel sample reason', $comment->getComment());
+        $this->assertEquals('Other', $comment->getComment());
         $this->assertEquals('closed', $comment->getStatus());
     }
 
@@ -758,7 +767,7 @@ public function testCancelOrderWithOfflinePaymentFullyInvoicedPartiallyRefunded(
         $this->assertEquals("Order cancellation notification email was sent.", $comment->getComment());
 
         $comment = array_pop($comments);
-        $this->assertEquals('Cancel sample reason', $comment->getComment());
+        $this->assertEquals('Other', $comment->getComment());
         $this->assertEquals('closed', $comment->getStatus());
     }
 
@@ -806,19 +815,14 @@ public function testCancelOrderAttemptingXSSPassedThroughReasonField()
             [
                 'cancelOrder' =>
                     [
-                        'errorV2' => null,
-                        'order' => [
-                            'status' => 'Closed'
-                        ]
+                        'errorV2' => [
+                            'message' => 'Order cancellation reason is invalid.'
+                        ],
+                        'order' => null
                     ]
             ],
             $response
         );
-
-        $comments = $order->getStatusHistories();
-        $comment = reset($comments);
-        $this->assertEquals('&lt;script&gt;while(true){alert(666);}&lt;/script&gt;', $comment->getComment());
-        $this->assertEquals('closed', $comment->getStatus());
     }
 
     #[
@@ -889,7 +893,7 @@ public function testCancelPartiallyInvoicedOrder()
         $this->assertEquals("Order cancellation notification email was sent.", $comment->getComment());
 
         $comment = array_pop($comments);
-        $this->assertEquals('Cancel sample reason', $comment->getComment());
+        $this->assertEquals('Other', $comment->getComment());
         $this->assertEquals('canceled', $comment->getStatus());
     }
 
@@ -906,7 +910,7 @@ private function getCancelOrderMutation(int $orderId): string
             cancelOrder(
               input: {
                 order_id: "{$orderId}"
-                reason: "Cancel sample reason"
+                reason: "Other"
               }
             ){
                 errorV2 {

dev/tests/api-functional/testsuite/Magento/GraphQl/OrderCancellation/ConfirmCancelGuestOrderTest.php

@@ -423,7 +423,7 @@ public function testAttemptToConfirmCancelOrderWithInvalidConfirmationKey()
          * @var $order OrderInterface
          */
         $order = DataFixtureStorageManager::getStorage()->get('order');
-        $this->confirmationKey->execute($order, 'Simple reason');
+        $this->confirmationKey->execute($order, 'Other');
 
         $query = $this->getConfirmCancelOrderMutation($order);
         $this->assertEquals(
@@ -459,7 +459,7 @@ public function testConfirmCancelOrderWithOutAnyAmountPaid()
          * @var $order OrderInterface
          */
         $order = DataFixtureStorageManager::getStorage()->get('order');
-        $confirmationKey = $this->confirmationKey->execute($order, 'Cancel sample reason');
+        $confirmationKey = $this->confirmationKey->execute($order, 'Other');
 
         $query = <<<MUTATION
         mutation {