Merge pull request #292 from magento-fearless-kiwis/FearlessKiwis-MAGETWO-57580-Backport-Csrf-delete-the-customer-addresses

Oleksii Korshenko · web-flow · commit 8e2592435c77 · 2016-08-26T17:52:13.000-05:00
Fixed issues: - MAGETWO-57580: [Backport] CSRF delete the customer addresses - MAGETWO-56963: Clone Clone [GitHub] State/Province field doesn't show as required on the add new address page. #5279
diff --git a/app/code/Magento/Checkout/view/frontend/web/js/region-updater.js b/app/code/Magento/Checkout/view/frontend/web/js/region-updater.js
@@ -25,6 +25,10 @@ define([
             isMultipleCountriesAllowed: true
         },
 
+        /**
+         *
+         * @private
+         */
         _create: function () {
             this._initCountryElement();
 
@@ -43,12 +47,18 @@ define([
             }, this));
         },
 
-        _initCountryElement: function() {
+        /**
+         *
+         * @private
+         */
+        _initCountryElement: function () {
+
             if (this.options.isMultipleCountriesAllowed) {
                 this.element.parents('div.field').show();
                 this.element.on('change', $.proxy(function (e) {
                     this._updateRegion($(e.target).val());
                 }, this));
+
                 if (this.options.isCountryRequired) {
                     this.element.addClass('required-entry');
                     this.element.parents('div.field').addClass('required');
@@ -60,6 +70,7 @@ define([
 
         /**
          * Remove options from dropdown list
+         *
          * @param {Object} selectElement - jQuery object for dropdown list
          * @private
          */
@@ -113,7 +124,7 @@ define([
          * @private
          */
         _clearError: function () {
-            if (this.options.clearError && typeof (this.options.clearError) === 'function') {
+            if (this.options.clearError && typeof this.options.clearError === 'function') {
                 this.options.clearError.call(this);
             } else {
                 if (!this.options.form) {
@@ -122,12 +133,19 @@ define([
 
                 this.options.form = $(this.options.form);
 
-                this.options.form && this.options.form.data('validation') && this.options.form.validation('clearError',
+                this.options.form && this.options.form.data('validator') && this.options.form.validation('clearError',
                     this.options.regionListId, this.options.regionInputId, this.options.postcodeId);
+
+                // Clean up errors on region & zip fix
+                $(this.options.regionInputId).removeClass('mage-error').parent().find('[generated]').remove();
+                $(this.options.regionListId).removeClass('mage-error').parent().find('[generated]').remove();
+                $(this.options.postcodeId).removeClass('mage-error').parent().find('[generated]').remove();
             }
         },
+
         /**
          * Update dropdown list based on the country selected
+         *
          * @param {String} country - 2 uppercase letter for country code
          * @private
          */
@@ -182,11 +200,12 @@ define([
                     if (!this.options.optionalRegionAllowed) {
                         regionInput.attr('disabled', 'disabled');
                     }
+                    requiredLabel.removeClass('required');
+                    regionInput.removeClass('required-entry');
                 }
 
                 regionList.removeClass('required-entry').hide();
                 regionInput.show();
-                requiredLabel.removeClass('required');
                 label.attr('for', regionInput.attr('id'));
             }
 
@@ -208,10 +227,11 @@ define([
          * @private
          */
         _checkRegionRequired: function (country) {
-            this.options.isRegionRequired = false;
             var self = this;
+
+            this.options.isRegionRequired = false;
             $.each(this.options.regionJson.config.regions_required, function (index, elem) {
-                if (elem == country) {
+                if (elem === country) {
                     self.options.isRegionRequired = true;
                 }
             });
diff --git a/app/code/Magento/Customer/Controller/Address/Delete.php b/app/code/Magento/Customer/Controller/Address/Delete.php
@@ -15,7 +15,7 @@ public function execute()
     {
         $addressId = $this->getRequest()->getParam('id', false);
 
-        if ($addressId) {
+        if ($addressId && $this->_formKeyValidator->validate($this->getRequest())) {
             try {
                 $address = $this->_addressRepository->getById($addressId);
                 if ($address->getCustomerId() === $this->_getSession()->getCustomerId()) {
diff --git a/app/code/Magento/Customer/Test/Unit/Controller/Address/DeleteTest.php b/app/code/Magento/Customer/Test/Unit/Controller/Address/DeleteTest.php
@@ -0,0 +1,162 @@
+<?php
+/**
+ * Copyright © 2016 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Customer\Test\Unit\Controller\Address;
+
+use Magento\Customer\Controller\Address\Delete;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+/**
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
+class DeleteTest extends \PHPUnit_Framework_TestCase
+{
+    /** @var Delete */
+    protected $model;
+
+    /** @var \Magento\Customer\Model\Session|\PHPUnit_Framework_MockObject_MockObject */
+    protected $sessionMock;
+
+    /** @var \Magento\Framework\Data\Form\FormKey\Validator|\PHPUnit_Framework_MockObject_MockObject */
+    protected $validatorMock;
+
+    /** @var \Magento\Customer\Api\AddressRepositoryInterface|\PHPUnit_Framework_MockObject_MockObject */
+    protected $addressRepositoryMock;
+
+    /** @var \Magento\Framework\App\RequestInterface|\PHPUnit_Framework_MockObject_MockObject */
+    protected $request;
+
+    /** @var \Magento\Customer\Api\Data\AddressInterface|\PHPUnit_Framework_MockObject_MockObject */
+    protected $address;
+
+    /** @var \Magento\Framework\Message\ManagerInterface|\PHPUnit_Framework_MockObject_MockObject */
+    protected $messageManager;
+
+    /** @var \Magento\Framework\Controller\Result\RedirectFactory|\PHPUnit_Framework_MockObject_MockObject */
+    protected $resultRedirectFactory;
+
+    /** @var \Magento\Framework\Controller\Result\Redirect|\PHPUnit_Framework_MockObject_MockObject */
+    protected $resultRedirect;
+
+    protected function setUp()
+    {
+        $this->sessionMock = $this->getMockBuilder(\Magento\Customer\Model\Session::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->validatorMock = $this->getMockBuilder(\Magento\Framework\Data\Form\FormKey\Validator::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->addressRepositoryMock = $this->getMockBuilder(\Magento\Customer\Api\AddressRepositoryInterface::class)
+            ->getMockForAbstractClass();
+        $this->request = $this->getMockBuilder(\Magento\Framework\App\RequestInterface::class)
+            ->getMockForAbstractClass();
+        $this->address = $this->getMockBuilder(\Magento\Customer\Api\Data\AddressInterface::class)
+            ->getMockForAbstractClass();
+        $this->messageManager = $this->getMockBuilder(\Magento\Framework\Message\ManagerInterface::class)
+            ->getMockForAbstractClass();
+        $this->resultRedirectFactory =
+            $this->getMockBuilder(\Magento\Framework\Controller\Result\RedirectFactory::class)
+                ->disableOriginalConstructor()
+                ->getMock();
+        $this->resultRedirect = $this->getMockBuilder(\Magento\Framework\Controller\Result\Redirect::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->request = $this->getMockBuilder(\Magento\Framework\App\RequestInterface::class)
+            ->getMockForAbstractClass();
+
+        $objectManager = new ObjectManagerHelper($this);
+        $this->model =  $objectManager->getObject(
+            Delete::class,
+            [
+                'request' => $this->request,
+                'resultRedirectFactory' => $this->resultRedirectFactory,
+                'messageManager' => $this->messageManager,
+                'customerSession' => $this->sessionMock,
+                'formKeyValidator' => $this->validatorMock,
+                'addressRepository' => $this->addressRepositoryMock
+            ]
+        );
+    }
+
+    public function testExecute()
+    {
+        $addressId = 1;
+        $customerId = 2;
+
+        $this->resultRedirectFactory->expects($this->once())
+            ->method('create')
+            ->willReturn($this->resultRedirect);
+        $this->request->expects($this->once())
+            ->method('getParam')
+            ->with('id', false)
+            ->willReturn($addressId);
+        $this->validatorMock->expects($this->once())
+            ->method('validate')
+            ->with($this->request)
+            ->willReturn(true);
+        $this->addressRepositoryMock->expects($this->once())
+            ->method('getById')
+            ->with($addressId)
+            ->willReturn($this->address);
+        $this->sessionMock->expects($this->once())
+            ->method('getCustomerId')
+            ->willReturn($customerId);
+        $this->address->expects($this->once())
+            ->method('getCustomerId')
+            ->willReturn($customerId);
+        $this->addressRepositoryMock->expects($this->once())
+            ->method('deleteById')
+            ->with($addressId);
+        $this->messageManager->expects($this->once())
+            ->method('addSuccess')
+            ->with(__('You deleted the address.'));
+        $this->resultRedirect->expects($this->once())
+            ->method('setPath')
+            ->with('*/*/index')
+            ->willReturnSelf();
+        $this->assertSame($this->resultRedirect, $this->model->execute());
+    }
+
+    public function testExecuteWithException()
+    {
+        $addressId = 1;
+        $customerId = 2;
+
+        $this->resultRedirectFactory->expects($this->once())
+            ->method('create')
+            ->willReturn($this->resultRedirect);
+        $this->request->expects($this->once())
+            ->method('getParam')
+            ->with('id', false)
+            ->willReturn($addressId);
+        $this->validatorMock->expects($this->once())
+            ->method('validate')
+            ->with($this->request)
+            ->willReturn(true);
+        $this->addressRepositoryMock->expects($this->once())
+            ->method('getById')
+            ->with($addressId)
+            ->willReturn($this->address);
+        $this->sessionMock->expects($this->once())
+            ->method('getCustomerId')
+            ->willReturn($customerId);
+        $this->address->expects($this->once())
+            ->method('getCustomerId')
+            ->willReturn(34);
+        $exception = new \Exception('Exception');
+        $this->messageManager->expects($this->once())
+            ->method('addError')
+            ->with(__('We can\'t delete the address right now.'))
+            ->willThrowException($exception);
+        $this->messageManager->expects($this->once())
+            ->method('addException')
+            ->with($exception, __('We can\'t delete the address right now.'));
+        $this->resultRedirect->expects($this->once())
+            ->method('setPath')
+            ->with('*/*/index')
+            ->willReturnSelf();
+        $this->assertSame($this->resultRedirect, $this->model->execute());
+    }
+}
diff --git a/app/code/Magento/Customer/view/frontend/web/address.js b/app/code/Magento/Customer/view/frontend/web/address.js
@@ -61,10 +61,12 @@ define([
                 actions: {
                     confirm: function() {
                         if (typeof $(e.target).parent().data('address') !== 'undefined') {
-                            window.location = self.options.deleteUrlPrefix + $(e.target).parent().data('address');
+                            window.location = self.options.deleteUrlPrefix + $(e.target).parent().data('address')
+                                + '/form_key/' + $.mage.cookies.get('form_key');
                         }
                         else {
-                            window.location = self.options.deleteUrlPrefix + $(e.target).data('address');
+                            window.location = self.options.deleteUrlPrefix + $(e.target).data('address')
+                                + '/form_key/' + $.mage.cookies.get('form_key');
                         }
                     }
                 }
diff --git a/dev/tests/integration/testsuite/Magento/Customer/Controller/AddressTest.php b/dev/tests/integration/testsuite/Magento/Customer/Controller/AddressTest.php
@@ -5,13 +5,18 @@
  */
 namespace Magento\Customer\Controller;
 
+use Magento\Customer\Api\AccountManagementInterface;
+use Magento\Framework\Data\Form\FormKey;
 use Magento\TestFramework\Helper\Bootstrap;
 
 class AddressTest extends \Magento\TestFramework\TestCase\AbstractController
 {
-    /** @var \Magento\Customer\Api\AccountManagementInterface */
+    /** @var AccountManagementInterface */
     private $accountManagement;
 
+    /** @var FormKey */
+    private $formKey;
+
     protected function setUp()
     {
         parent::setUp();
@@ -20,9 +25,8 @@ protected function setUp()
             'Magento\Customer\Model\Session',
             [$logger]
         );
-        $this->accountManagement = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
-            'Magento\Customer\Api\AccountManagementInterface'
-        );
+        $this->accountManagement = Bootstrap::getObjectManager()->create(AccountManagementInterface::class);
+        $this->formKey = Bootstrap::getObjectManager()->create(FormKey::class);
         $customer = $this->accountManagement->authenticate('customer@example.com', 'password');
         $session->setCustomerDataAsLoggedIn($customer);
     }
@@ -152,6 +156,7 @@ public function testFailedFormPostAction()
     public function testDeleteAction()
     {
         $this->getRequest()->setParam('id', 1);
+        $this->getRequest()->setParam('form_key', $this->formKey->getFormKey());
         // we are overwriting the address coming from the fixture
         $this->dispatch('customer/address/delete');
 
@@ -169,6 +174,7 @@ public function testDeleteAction()
     public function testWrongAddressDeleteAction()
     {
         $this->getRequest()->setParam('id', 555);
+        $this->getRequest()->setParam('form_key', $this->formKey->getFormKey());
         // we are overwriting the address coming from the fixture
         $this->dispatch('customer/address/delete');
 

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ public function execute()`
`15`	`15`	`{`
`16`	`16`	`$addressId = $this->getRequest()->getParam('id', false);`
`17`	`17`
`18`		`- if ($addressId) {`
	`18`	`+ if ($addressId && $this->_formKeyValidator->validate($this->getRequest())) {`
`19`	`19`	`try {`
`20`	`20`	`$address = $this->_addressRepository->getById($addressId);`
`21`	`21`	`if ($address->getCustomerId() === $this->_getSession()->getCustomerId()) {`
Original file line number	Diff line number	Diff line change
`@@ -61,10 +61,12 @@ define([`
`61`	`61`	`actions: {`
`62`	`62`	`confirm: function() {`
`63`	`63`	`if (typeof $(e.target).parent().data('address') !== 'undefined') {`
`64`		`- window.location = self.options.deleteUrlPrefix + $(e.target).parent().data('address');`
	`64`	`+ window.location = self.options.deleteUrlPrefix + $(e.target).parent().data('address')`
	`65`	`+ + '/form_key/' + $.mage.cookies.get('form_key');`
`65`	`66`	`}`
`66`	`67`	`else {`
`67`		`- window.location = self.options.deleteUrlPrefix + $(e.target).data('address');`
	`68`	`+ window.location = self.options.deleteUrlPrefix + $(e.target).data('address')`
	`69`	`+ + '/form_key/' + $.mage.cookies.get('form_key');`
`68`	`70`	`}`
`69`	`71`	`}`
`70`	`72`	`}`