Merge pull request #6213 from magento-tsg/MC-36005

[Condor] MC-36005: [Backport for 2.3.x] Customer REST API leaks information

Author: zakdma

app/code/Magento/Customer/Model/Address/Validator/Customer.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Model\Address\Validator;
+
+use Magento\Customer\Model\Address\AbstractAddress;
+use Magento\Customer\Model\Address\ValidatorInterface;
+use Magento\Customer\Model\AddressFactory;
+use Magento\Quote\Api\Data\AddressInterface as QuoteAddressInterface;
+
+/**
+ * Validates that current Address is related to given Customer.
+ */
+class Customer implements ValidatorInterface
+{
+    /**
+     * @var AddressFactory
+     */
+    private $addressFactory;
+
+    /**
+     * @param AddressFactory $addressFactory
+     */
+    public function __construct(AddressFactory $addressFactory)
+    {
+        $this->addressFactory = $addressFactory;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate(AbstractAddress $address): array
+    {
+        $errors = [];
+        $addressId = $address instanceof QuoteAddressInterface ? $address->getCustomerAddressId() : $address->getId();
+        if ($addressId !== null) {
+            $addressCustomerId = (int) $address->getCustomerId();
+            $originalAddressCustomerId = (int) $this->addressFactory->create()
+                ->load($addressId)
+                ->getCustomerId();
+
+            if ($originalAddressCustomerId !== 0 && $originalAddressCustomerId !== $addressCustomerId) {
+                $errors[] = __(
+                    'Provided customer ID "%customer_id" isn\'t related to current customer address.',
+                    ['customer_id' => $addressCustomerId]
+                );
+            }
+        }
+
+        return $errors;
+    }
+}

app/code/Magento/Customer/Model/Webapi/ParamOverriderCustomerGroupId.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Model\Webapi;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Framework\Webapi\Rest\Request\ParamOverriderInterface;
+
+/**
+ * Replaces a "%customer_group_id%" value with the real customer id
+ */
+class ParamOverriderCustomerGroupId implements ParamOverriderInterface
+{
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepository;
+
+    /**
+     * @param UserContextInterface $userContext
+     * @param CustomerRepositoryInterface $customerRepository
+     */
+    public function __construct(UserContextInterface $userContext, CustomerRepositoryInterface $customerRepository)
+    {
+        $this->userContext = $userContext;
+        $this->customerRepository = $customerRepository;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getOverriddenValue()
+    {
+        if ((int) $this->userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER) {
+            return $this->customerRepository->getById($this->userContext->getUserId())->getGroupId();
+        }
+
+        return null;
+    }
+}

app/code/Magento/Customer/Model/Webapi/ParamOverriderCustomerStoreId.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Model\Webapi;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Framework\Webapi\Rest\Request\ParamOverriderInterface;
+
+/**
+ * Replaces a "%customer_store_id%" value with the real customer id
+ */
+class ParamOverriderCustomerStoreId implements ParamOverriderInterface
+{
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepository;
+
+    /**
+     * @param UserContextInterface $userContext
+     * @param CustomerRepositoryInterface $customerRepository
+     */
+    public function __construct(UserContextInterface $userContext, CustomerRepositoryInterface $customerRepository)
+    {
+        $this->userContext = $userContext;
+        $this->customerRepository = $customerRepository;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getOverriddenValue()
+    {
+        if ((int) $this->userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER) {
+            return $this->customerRepository->getById($this->userContext->getUserId())->getStoreId();
+        }
+
+        return null;
+    }
+}

app/code/Magento/Customer/Model/Webapi/ParamOverriderCustomerWebsiteId.php

@@ -0,0 +1,50 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Model\Webapi;
+
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Framework\Webapi\Rest\Request\ParamOverriderInterface;
+
+/**
+ * Replaces a "%customer_website_id%" value with the real customer id
+ */
+class ParamOverriderCustomerWebsiteId implements ParamOverriderInterface
+{
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepository;
+
+    /**
+     * @param UserContextInterface $userContext
+     * @param CustomerRepositoryInterface $customerRepository
+     */
+    public function __construct(UserContextInterface $userContext, CustomerRepositoryInterface $customerRepository)
+    {
+        $this->userContext = $userContext;
+        $this->customerRepository = $customerRepository;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getOverriddenValue()
+    {
+        if ((int) $this->userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER) {
+            return $this->customerRepository->getById($this->userContext->getUserId())->getWebsiteId();
+        }
+
+        return null;
+    }
+}