Merge branch 'ACP2E-1513' of https://github.com/magento-l3/magento2ce into PR-2023-02-07

ArtemVasyliev · ArtemVasyliev · commit ba03d89b3c3c · 2023-02-08T12:41:14.000-06:00
diff --git a/app/code/Magento/QuoteGraphQl/Model/Resolver/RemoveItemFromCart.php b/app/code/Magento/QuoteGraphQl/Model/Resolver/RemoveItemFromCart.php
@@ -86,6 +86,8 @@ public function resolve(Field $field, $context, ResolveInfo $info, array $value
         $itemId = $processedArgs['input']['cart_item_id'];
 
         $storeId = (int)$context->getExtensionAttributes()->getStore()->getId();
+        /** Check if the current user is allowed to perform actions with the cart */
+        $this->getCartForUser->execute($maskedCartId, $context->getUserId(), $storeId);
 
         try {
             $this->cartItemRepository->deleteById($cartId, $itemId);
diff --git a/dev/tests/api-functional/testsuite/Magento/GraphQl/Quote/Customer/RemoveItemFromCartTest.php b/dev/tests/api-functional/testsuite/Magento/GraphQl/Quote/Customer/RemoveItemFromCartTest.php
@@ -7,6 +7,7 @@
 
 namespace Magento\GraphQl\Quote\Customer;
 
+use Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException;
 use Magento\GraphQl\Quote\GetMaskedQuoteIdByReservedOrderId;
 use Magento\GraphQl\Quote\GetQuoteItemIdByReservedQuoteIdAndSku;
 use Magento\Integration\Api\CustomerTokenServiceInterface;
@@ -147,13 +148,56 @@ public function testRemoveItemFromAnotherCustomerCart()
             'test_quote',
             'simple_product'
         );
+        $query = $this->getQuery($anotherCustomerQuoteMaskedId, $anotherCustomerQuoteItemId);
 
-        $this->expectExceptionMessage(
-            "The current user cannot perform operations on cart \"$anotherCustomerQuoteMaskedId\""
-        );
+        try {
+            $this->graphQlMutation(
+                $query,
+                [],
+                '',
+                $this->getHeaderMap('customer2@search.example.com')
+            );
+            $this->fail('ResponseContainsErrorsException was not thrown');
+        } catch (ResponseContainsErrorsException $e) {
+            $this->assertStringContainsString(
+                "The current user cannot perform operations on cart \"$anotherCustomerQuoteMaskedId\"",
+                $e->getMessage()
+            );
+            $cartQuery = $this->getCartQuery($anotherCustomerQuoteMaskedId);
+            $cart = $this->graphQlQuery(
+                $cartQuery,
+                [],
+                '',
+                $this->getHeaderMap('customer@search.example.com')
+            );
+            $this->assertTrue(count($cart['cart']['items']) > 0, 'The cart is empty');
+            $this->assertTrue(
+                $cart['cart']['items'][0]['product']['sku'] === 'simple_product',
+                'The cart doesn\'t contain product'
+            );
+        }
+    }
 
-        $query = $this->getQuery($anotherCustomerQuoteMaskedId, $anotherCustomerQuoteItemId);
-        $this->graphQlMutation($query, [], '', $this->getHeaderMap('customer2@search.example.com'));
+    /**
+     * @param string $maskedQuoteId
+     * @return string
+     */
+    private function getCartQuery(string $maskedQuoteId): string
+    {
+        return <<<QUERY
+{
+  cart(cart_id: "{$maskedQuoteId}") {
+    id
+    items {
+      id
+      quantity
+      product {
+        sku
+      }
+    }
+  }
+}
+QUERY;
     }
 
     /**
