MAGETWO-96746: Invalid quote in session

nathanjosiah · nathanjosiah · commit a6177a2ed229 · 2019-03-29T11:58:14.000-05:00
diff --git a/app/code/Magento/Checkout/Model/Session.php b/app/code/Magento/Checkout/Model/Session.php
@@ -218,6 +218,14 @@ public function getQuote()
                         $quote = $this->quoteRepository->getActive($this->getQuoteId());
                     }
 
+                    $customerId = $this->_customer
+                        ? $this->_customer->getId()
+                        : $this->_customerSession->getCustomerId();
+                    if ($quote->getData('customer_id') && $quote->getData('customer_id') !== $customerId) {
+                        $quote = $this->quoteFactory->create();
+                        throw new \Magento\Framework\Exception\NoSuchEntityException();
+                    }
+
                     /**
                      * If current currency code of quote is not equal current currency code of store,
                      * need recalculate totals of quote. It is possible if customer use currency switcher or
diff --git a/dev/tests/integration/testsuite/Magento/Checkout/Model/SessionTest.php b/dev/tests/integration/testsuite/Magento/Checkout/Model/SessionTest.php
@@ -6,6 +6,7 @@
 namespace Magento\Checkout\Model;
 
 use Magento\TestFramework\Helper\Bootstrap;
+use Magento\Quote\Model\Quote;
 
 class SessionTest extends \PHPUnit_Framework_TestCase
 {
@@ -65,6 +66,24 @@ public function testGetQuoteNotInitializedCustomerLoggedIn()
         $this->_validateCustomerDataInQuote($quote);
     }
 
+    /**
+     * @magentoDataFixture Magento/Sales/_files/quote_with_customer.php
+     * @magentoAppIsolation enabled
+     */
+    public function testGetQuoteWithMismatchingSession()
+    {
+        /** @var Quote $quote */
+        $quote = Bootstrap::getObjectManager()->create(Quote::class);
+        /** @var \Magento\Quote\Model\ResourceModel\Quote $quoteResource */
+        $quoteResource = Bootstrap::getObjectManager()->create(\Magento\Quote\Model\ResourceModel\Quote::class);
+        $quoteResource->load($quote, 'test01', 'reserved_order_id');
+        // Customer on quote is not logged in
+        $this->_checkoutSession->setQuoteId($quote->getId());
+        $sessionQuote = $this->_checkoutSession->getQuote();
+        $this->assertEmpty($sessionQuote->getCustomerId());
+        $this->assertNotEquals($quote->getId(), $sessionQuote->getId());
+    }
+
     /**
      * Tes merging of customer data into initialized quote object.
      *
