Merge pull request #6252 from magento-tsg/2.3.7-develop-pr150

[Condor] Fixes for 2.3 (pr150) (2.3.7-develop)

Author: zakdma

app/code/Magento/Catalog/view/base/web/js/product/name.js

@@ -5,18 +5,33 @@
 
 define([
     'Magento_Ui/js/grid/columns/column',
-    'Magento_Catalog/js/product/list/column-status-validator'
-], function (Column, columnStatusValidator) {
+    'Magento_Catalog/js/product/list/column-status-validator',
+    'escaper'
+], function (Column, columnStatusValidator, escaper) {
     'use strict';
 
     return Column.extend({
+        defaults: {
+            allowedTags: ['div', 'span', 'b', 'strong', 'i', 'em', 'u', 'a']
+        },
+
         /**
          * Depends on this option, product name can be shown or hide. Depends on  backend configuration
          *
          * @returns {Boolean}
          */
         isAllowed: function () {
             return columnStatusValidator.isValid(this.source(), 'name', 'show_attributes');
+        },
+
+        /**
+         * Name column.
+         *
+         * @param {String} label
+         * @returns {String}
+         */
+        getNameUnsanitizedHtml: function (label) {
+            return escaper.escapeHtml(label, this.allowedTags);
         }
     });
 });

app/code/Magento/Catalog/view/base/web/template/product/name.html

@@ -6,5 +6,5 @@
 -->
 <strong if="isAllowed()"
         class="product-item-name">
-    <a attr="href: $row().url" html="$col.getLabel($row())"/>
+    <a attr="href: $row().url" html="getNameUnsanitizedHtml($col.getLabel($row()))"/>
 </strong>

app/code/Magento/CustomerGraphQl/Model/Context/AddUserInfoToContext.php

@@ -60,6 +60,8 @@ public function execute(ContextParametersInterface $contextParameters): ContextP
      */
     private function isCustomer(?int $customerId, ?int $customerType): bool
     {
-        return !empty($customerId) && !empty($customerType) && $customerType !== UserContextInterface::USER_TYPE_GUEST;
+        return !empty($customerId)
+            && !empty($customerType)
+            && $customerType === UserContextInterface::USER_TYPE_CUSTOMER;
     }
 }

app/code/Magento/Multishipping/view/frontend/templates/checkout/billing.phtml

@@ -72,7 +72,7 @@
                             $methodsCount = count($methods);
                             $methodsForms = $block->hasFormTemplates() ? $block->getFormTemplates(): [];
 
-                            foreach ($methods as $_method) :
+                            foreach ($methods as $_method):
                                     $code = $_method->getCode();
                                     $checked = $block->getSelectedMethodCode() === $code;
 
@@ -82,7 +82,7 @@
                                 ?>
                                 <div data-bind="scope: 'payment_method_<?= $block->escapeHtml($code);?>'">
                                     <dt class="item-title">
-                                        <?php if ($methodsCount > 1) : ?>
+                                        <?php if ($methodsCount > 1): ?>
                                             <input type="radio"
                                                    id="p_method_<?= $block->escapeHtml($code); ?>"
                                                    value="<?= $block->escapeHtmlAttr($code); ?>"
@@ -93,11 +93,11 @@
                                                        checked: isChecked,
                                                        click: selectPaymentMethod,
                                                        visible: isRadioButtonVisible()"
-                                                <?php if ($checked) : ?>
+                                                <?php if ($checked): ?>
                                                     checked="checked"
                                                 <?php endif; ?>
                                                    class="radio"/>
-                                        <?php else : ?>
+                                        <?php else: ?>
                                             <input type="radio"
                                                    id="p_method_<?= $block->escapeHtml($code); ?>"
                                                    value="<?= $block->escapeHtmlAttr($code); ?>"
@@ -112,7 +112,7 @@
                                             <?= $block->escapeHtml($_method->getTitle()) ?>
                                         </label>
                                     </dt>
-                                    <?php if ($html = $block->getChildHtml('payment.method.' . $code)) : ?>
+                                    <?php if ($html = $block->getChildHtml('payment.method.' . $code)): ?>
                                         <dd class="item-content <?= $checked ? '' : 'no-display'; ?>">
                                             <?= /* @noEscape */ $html; ?>
                                         </dd>
@@ -171,20 +171,20 @@
             'domReady!'
         ], function(quote, $) {
             quote.billingAddress({
-                    city: '<?= /* @noEscape */ $block->getAddress()->getCity() ?>',
-                    company: '<?= /* @noEscape */ $block->getAddress()->getCompany(); ?>',
-                    countryId: '<?= /* @noEscape */ $block->getAddress()->getCountryId(); ?>',
-                    customerAddressId: '<?= /* @noEscape */ $block->getAddress()->getCustomerAddressId(); ?>',
-                    customerId: '<?= /* @noEscape */ $block->getAddress()->getCustomerId(); ?>',
-                    fax: '<?= /* @noEscape */ $block->getAddress()->getFax(); ?>',
-                    firstname: '<?= /* @noEscape */ $block->getAddress()->getFirstname(); ?>',
-                    lastname: '<?= /* @noEscape */ $block->getAddress()->getLastname(); ?>',
-                    postcode: '<?= /* @noEscape */ $block->getAddress()->getPostcode(); ?>',
-                    regionId: '<?= /* @noEscape */ $block->getAddress()->getRegionId(); ?>',
-                    regionCode: '<?= /* @noEscape */ $block->getAddress()->getRegionCode() ?>',
-                    region: '<?= /* @noEscape */ $block->getAddress()->getRegion(); ?>',
+                    city: '<?= $block->escapeJs($block->getAddress()->getCity()); ?>',
+                    company: '<?= $block->escapeJs($block->getAddress()->getCompany()); ?>',
+                    countryId: '<?= $block->escapeJs($block->getAddress()->getCountryId()); ?>',
+                    customerAddressId: '<?= $block->escapeJs($block->getAddress()->getCustomerAddressId()); ?>',
+                    customerId: '<?= $block->escapeJs($block->getAddress()->getCustomerId()); ?>',
+                    fax: '<?= $block->escapeJs($block->getAddress()->getFax()); ?>',
+                    firstname: '<?= $block->escapeJs($block->getAddress()->getFirstname()); ?>',
+                    lastname: '<?= $block->escapeJs($block->getAddress()->getLastname()); ?>',
+                    postcode: '<?= $block->escapeJs($block->getAddress()->getPostcode()); ?>',
+                    regionId: '<?= $block->escapeJs($block->getAddress()->getRegionId()); ?>',
+                    regionCode: '<?= $block->escapeJs($block->getAddress()->getRegionCode()); ?>',
+                    region: '<?= $block->escapeJs($block->getAddress()->getRegion()); ?>',
                     street: <?= /* @noEscape */ json_encode($block->getAddress()->getStreet()); ?>,
-                    telephone: '<?= /* @noEscape */ $block->getAddress()->getTelephone(); ?>'
+                    telephone: '<?= $block->escapeJs($block->getAddress()->getTelephone()); ?>'
             });
         });
     //]]>

dev/tests/api-functional/testsuite/Magento/GraphQl/Customer/GetCustomerTest.php

@@ -7,13 +7,21 @@
 
 namespace Magento\GraphQl\Customer;
 
+use Exception;
+use Magento\Customer\Api\AccountManagementInterface;
 use Magento\Customer\Api\CustomerRepositoryInterface;
 use Magento\Customer\Model\CustomerAuthUpdate;
 use Magento\Customer\Model\CustomerRegistry;
+use Magento\Framework\ObjectManagerInterface;
+use Magento\Integration\Api\AdminTokenServiceInterface;
 use Magento\Integration\Api\CustomerTokenServiceInterface;
 use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\Bootstrap as TestBootstrap;
 use Magento\TestFramework\TestCase\GraphQlAbstract;
 
+/**
+ * GraphQl tests for @see \Magento\CustomerGraphQl\Model\Customer\GetCustomer.
+ */
 class GetCustomerTest extends GraphQlAbstract
 {
     /**
@@ -36,14 +44,23 @@ class GetCustomerTest extends GraphQlAbstract
      */
     private $customerRepository;
 
+    /**
+     * @var ObjectManagerInterface
+     */
+    private $objectManager;
+
+    /**
+     * @inheridoc
+     */
     protected function setUp(): void
     {
         parent::setUp();
 
-        $this->customerTokenService = Bootstrap::getObjectManager()->get(CustomerTokenServiceInterface::class);
-        $this->customerRegistry = Bootstrap::getObjectManager()->get(CustomerRegistry::class);
-        $this->customerAuthUpdate = Bootstrap::getObjectManager()->get(CustomerAuthUpdate::class);
-        $this->customerRepository = Bootstrap::getObjectManager()->get(CustomerRepositoryInterface::class);
+        $this->objectManager = Bootstrap::getObjectManager();
+        $this->customerTokenService = $this->objectManager->get(CustomerTokenServiceInterface::class);
+        $this->customerRegistry = $this->objectManager->get(CustomerRegistry::class);
+        $this->customerAuthUpdate = $this->objectManager->get(CustomerAuthUpdate::class);
+        $this->customerRepository = $this->objectManager->get(CustomerRepositoryInterface::class);
     }
 
     /**
@@ -71,18 +88,19 @@ public function testGetCustomer()
             $this->getCustomerAuthHeaders($currentEmail, $currentPassword)
         );
 
-        $this->assertEquals(null, $response['customer']['id']);
+        $this->assertNull($response['customer']['id']);
         $this->assertEquals('John', $response['customer']['firstname']);
         $this->assertEquals('Smith', $response['customer']['lastname']);
         $this->assertEquals($currentEmail, $response['customer']['email']);
     }
 
     /**
-     * @expectedException \Exception
-     * @expectedExceptionMessage The current customer isn't authorized.
      */
     public function testGetCustomerIfUserIsNotAuthorized()
     {
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('The current customer isn\'t authorized.');
+
         $query = <<<QUERY
 query {
     customer {
@@ -95,17 +113,49 @@ public function testGetCustomerIfUserIsNotAuthorized()
         $this->graphQlQuery($query);
     }
 
+    /**
+     * @magentoApiDataFixture Magento/User/_files/user_with_role.php
+     * @return void
+     */
+    public function testGetCustomerIfUserHasWrongType(): void
+    {
+        /** @var $adminTokenService AdminTokenServiceInterface */
+        $adminTokenService = $this->objectManager->get(AdminTokenServiceInterface::class);
+        $adminToken = $adminTokenService->createAdminAccessToken('adminUser', TestBootstrap::ADMIN_PASSWORD);
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('The current customer isn\'t authorized.');
+
+        $query = <<<QUERY
+query {
+    customer {
+        firstname
+        lastname
+        email
+    }
+}
+QUERY;
+        $this->graphQlQuery(
+            $query,
+            [],
+            '',
+            ['Authorization' => 'Bearer ' . $adminToken]
+        );
+    }
+
     /**
      * @magentoApiDataFixture Magento/Customer/_files/customer.php
-     * @expectedException \Exception
-     * @expectedExceptionMessage The account is locked.
      */
     public function testGetCustomerIfAccountIsLocked()
     {
-        $this->lockCustomer(1);
-
         $currentEmail = 'customer@example.com';
         $currentPassword = 'password';
+        $customer = $this->customerRepository->get($currentEmail);
+
+        $this->lockCustomer((int)$customer->getId());
+
+        $this->expectException(Exception::class);
+        $this->expectExceptionMessage('The account is locked.');
 
         $query = <<<QUERY
 query {
@@ -125,18 +175,19 @@ public function testGetCustomerIfAccountIsLocked()
     }
 
     /**
-     * @magentoApiDataFixture Magento/Customer/_files/customer_confirmation_config_enable.php
+     * @magentoConfigFixture customer/create_account/confirm 1
      * @magentoApiDataFixture Magento/Customer/_files/customer.php
-     * @expectedExceptionMessage This account isn't confirmed. Verify and try again.
+     *
      */
     public function testAccountIsNotConfirmed()
     {
+        $this->expectExceptionMessage("This account isn't confirmed. Verify and try again.");
         $customerEmail = 'customer@example.com';
         $currentPassword = 'password';
+        $customer = $this->customerRepository->get($customerEmail);
         $headersMap = $this->getCustomerAuthHeaders($customerEmail, $currentPassword);
-        $customer = $this->customerRepository->getById(1)->setConfirmation(
-            \Magento\Customer\Api\AccountManagementInterface::ACCOUNT_CONFIRMATION_REQUIRED
-        );
+        $customer = $this->customerRepository->getById((int)$customer->getId())
+            ->setConfirmation(AccountManagementInterface::ACCOUNT_CONFIRMATION_REQUIRED);
         $this->customerRepository->save($customer);
         $query = <<<QUERY
 query {
@@ -158,6 +209,7 @@ public function testAccountIsNotConfirmed()
     private function getCustomerAuthHeaders(string $email, string $password): array
     {
         $customerToken = $this->customerTokenService->createCustomerAccessToken($email, $password);
+
         return ['Authorization' => 'Bearer ' . $customerToken];
     }
 

dev/tests/integration/testsuite/Magento/User/_files/user_with_role_rollback.php

@@ -0,0 +1,16 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\User\Model\User;
+
+/** @var $model \Magento\User\Model\User */
+$model = Bootstrap::getObjectManager()->create(User::class);
+$user = $model->loadByUsername('adminUser');
+if ($user->getId()) {
+    $model->delete();
+}