Merge pull request #3663 from magento-qwerty/2.2.8-bugfixes-300119

dvoskoboinikov · web-flow · commit c33b1af7b876 · 2019-01-30T14:52:59.000-06:00
Fixed issues:
- MAGETWO-97043: Template Callbacks
- MAGETWO-97081: Fixed incorrect behaviour of sync actions
diff --git a/app/code/Magento/Catalog/Model/Product/ProductFrontendAction/Synchronizer.php b/app/code/Magento/Catalog/Model/Product/ProductFrontendAction/Synchronizer.php
@@ -138,7 +138,9 @@ private function getProductIdsByActions(array $actions)
         $productIds = [];
 
         foreach ($actions as $action) {
-            $productIds[] = $action['product_id'];
+            if (isset($action['product_id']) && is_int($action['product_id'])) {
+                $productIds[] = $action['product_id'];
+            }
         }
 
         return $productIds;
@@ -159,33 +161,37 @@ public function syncActions(array $productsData, $typeId)
         $customerId = $this->session->getCustomerId();
         $visitorId = $this->visitor->getId();
         $collection = $this->getActionsByType($typeId);
-        $collection->addFieldToFilter('product_id', $this->getProductIdsByActions($productsData));
-
-        /**
-         * Note that collection is also filtered by visitor id and customer id
-         * This collection shouldnt be flushed when visitor has products and then login
-         * It can remove only products for visitor, or only products for customer
-         *
-         * ['product_id' => 'added_at']
-         * @var ProductFrontendActionInterface $item
-         */
-        foreach ($collection as $item) {
-            $this->entityManager->delete($item);
-        }
-
-        foreach ($productsData as $productId => $productData) {
-            /** @var ProductFrontendActionInterface $action */
-            $action = $this->productFrontendActionFactory->create([
-                'data' => [
-                    'visitor_id' => $customerId ? null : $visitorId,
-                    'customer_id' => $this->session->getCustomerId(),
-                    'added_at' => $productData['added_at'],
-                    'product_id' => $productId,
-                    'type_id' => $typeId
-                ]
-            ]);
-
-            $this->entityManager->save($action);
+        $productIds = $this->getProductIdsByActions($productsData);
+
+        if ($productIds) {
+            $collection->addFieldToFilter('product_id', $productIds);
+
+            /**
+             * Note that collection is also filtered by visitor id and customer id
+             * This collection shouldnt be flushed when visitor has products and then login
+             * It can remove only products for visitor, or only products for customer
+             *
+             * ['product_id' => 'added_at']
+             * @var ProductFrontendActionInterface $item
+             */
+            foreach ($collection as $item) {
+                $this->entityManager->delete($item);
+            }
+
+            foreach ($productsData as $productId => $productData) {
+                /** @var ProductFrontendActionInterface $action */
+                $action = $this->productFrontendActionFactory->create([
+                    'data' => [
+                        'visitor_id' => $customerId ? null : $visitorId,
+                        'customer_id' => $this->session->getCustomerId(),
+                        'added_at' => $productData['added_at'],
+                        'product_id' => $productId,
+                        'type_id' => $typeId
+                    ]
+                ]);
+
+                $this->entityManager->save($action);
+            }
         }
     }
 
diff --git a/lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php b/lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php
@@ -2904,7 +2904,7 @@ public function prepareSqlCondition($fieldName, $condition)
                 if (isset($condition['to'])) {
                     $query .= empty($query) ? '' : ' AND ';
                     $to     = $this->_prepareSqlDateCondition($condition, 'to');
-                    $query = $this->_prepareQuotedSqlCondition($query . $conditionKeyMap['to'], $to, $fieldName);
+                    $query = $query . $this->_prepareQuotedSqlCondition($conditionKeyMap['to'], $to, $fieldName);
                 }
             } elseif (array_key_exists($key, $conditionKeyMap)) {
                 $value = $condition[$key];
diff --git a/lib/internal/Magento/Framework/Filter/Template.php b/lib/internal/Magento/Framework/Filter/Template.php
@@ -52,6 +52,11 @@ class Template implements \Zend_Filter_Interface
      */
     protected $string;
 
+    /**
+     * @var string[]
+     */
+    private $restrictedMethods = ['addafterfiltercallback'];
+
     /**
      * @param \Magento\Framework\Stdlib\StringUtils $string
      * @param array $variables
@@ -297,6 +302,25 @@ protected function getParameters($value)
         return $params;
     }
 
+    /**
+     * Validate method call initiated in a template.
+     *
+     * Deny calls for methods that may disrupt template processing.
+     *
+     * @param object $object
+     * @param string $method
+     * @return void
+     * @throws \InvalidArgumentException
+     */
+    private function validateVariableMethodCall($object, string $method)
+    {
+        if ($object === $this) {
+            if (in_array(mb_strtolower($method), $this->restrictedMethods)) {
+                throw new \InvalidArgumentException("Method $method cannot be called from template.");
+            }
+        }
+    }
+
     /**
      * Return variable value for var construction
      *
@@ -345,12 +369,12 @@ protected function getVariable($value, $default = '{no_value_defined}')
                 $last = $i;
             } elseif (isset($stackVars[$i - 1]['variable']) && $stackVars[$i]['type'] == 'method') {
                 // Calling object methods
-                if (method_exists($stackVars[$i - 1]['variable'], $stackVars[$i]['name'])) {
-                    $stackVars[$i]['args'] = $this->getStackArgs($stackVars[$i]['args']);
-                    $stackVars[$i]['variable'] = call_user_func_array(
-                        [$stackVars[$i - 1]['variable'], $stackVars[$i]['name']],
-                        $stackVars[$i]['args']
-                    );
+                $object = $stackVars[$i - 1]['variable'];
+                $method = $stackVars[$i]['name'];
+                if (method_exists($object, $method)) {
+                    $args = $this->getStackArgs($stackVars[$i]['args']);
+                    $this->validateVariableMethodCall($object, $method);
+                    $stackVars[$i]['variable'] = call_user_func_array([$object, $method], $args);
                 }
                 $last = $i;
             }
diff --git a/lib/internal/Magento/Framework/Filter/Test/Unit/TemplateTest.php b/lib/internal/Magento/Framework/Filter/Test/Unit/TemplateTest.php
@@ -205,4 +205,15 @@ public function varDirectiveDataProvider()
             ],
         ];
     }
+
+    /**
+     * Test adding callbacks when already filtering.
+     *
+     * @expectedException \InvalidArgumentException
+     */
+    public function testInappropriateCallbacks()
+    {
+        $this->templateFilter->setVariables(['filter' => $this->templateFilter]);
+        $this->templateFilter->filter('Test {{var filter.addAfterFilterCallback(\'mb_strtolower\')}}');
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -2904,7 +2904,7 @@ public function prepareSqlCondition($fieldName, $condition)`
`2904`	`2904`	`if (isset($condition['to'])) {`
`2905`	`2905`	`$query .= empty($query) ? '' : ' AND ';`
`2906`	`2906`	`$to = $this->_prepareSqlDateCondition($condition, 'to');`
`2907`		`- $query = $this->_prepareQuotedSqlCondition($query . $conditionKeyMap['to'], $to, $fieldName);`
	`2907`	`+ $query = $query . $this->_prepareQuotedSqlCondition($conditionKeyMap['to'], $to, $fieldName);`
`2908`	`2908`	`}`
`2909`	`2909`	`} elseif (array_key_exists($key, $conditionKeyMap)) {`
`2910`	`2910`	`$value = $condition[$key];`