MAGETWO-37037: Customers information leak via checkout

Author: Ievgen Shakhsuvarov

app/code/Magento/Multishipping/Model/Checkout/Type/Multishipping.php

@@ -959,9 +959,6 @@ protected function isAddressIdApplicable($addressId)
             /** @var \Magento\Customer\Api\Data\AddressInterface $address */
             return $address->getId();
         }, $this->getCustomer()->getAddresses());
-        if (in_array($addressId, $applicableAddressIds)) {
-            return true;
-        }
-        return false;
+        return in_array($addressId, $applicableAddressIds);
     }
 }

app/code/Magento/Quote/Model/QuoteAddressValidator.php

@@ -16,24 +16,32 @@ class QuoteAddressValidator
     protected $addressReporitory;
 
     /**
-     * Customer factory.
+     * Customer repository.
      *
-     * @var \Magento\Customer\Model\CustomerFactory
+     * @var \Magento\Customer\Api\CustomerRepositoryInterface
      */
-    protected $customerFactory;
+    protected $customerRepository;
+
+    /**
+     * @var \Magento\Customer\Model\Session
+     */
+    protected $customerSession;
 
     /**
      * Constructs a quote shipping address validator service object.
      *
      * @param \Magento\Customer\Api\AddressRepositoryInterface $addressRepository
-     * @param \Magento\Customer\Model\CustomerFactory $customerFactory Customer factory.
+     * @param \Magento\Customer\Api\CustomerRepositoryInterface $customerRepository Customer repository.
+     * @param \Magento\Customer\Model\Session $customerSession
      */
     public function __construct(
         \Magento\Customer\Api\AddressRepositoryInterface $addressRepository,
-        \Magento\Customer\Model\CustomerFactory $customerFactory
+        \Magento\Customer\Api\CustomerRepositoryInterface $customerRepository,
+        \Magento\Customer\Model\Session $customerSession
     ) {
         $this->addressReporitory = $addressRepository;
-        $this->customerFactory = $customerFactory;
+        $this->customerRepository = $customerRepository;
+        $this->customerSession = $customerSession;
     }
 
     /**
@@ -48,8 +56,7 @@ public function validate(\Magento\Quote\Api\Data\AddressInterface $addressData)
     {
         //validate customer id
         if ($addressData->getCustomerId()) {
-            $customer = $this->customerFactory->create();
-            $customer->load($addressData->getCustomerId());
+            $customer = $this->customerRepository->getById($addressData->getCustomerId());
             if (!$customer->getId()) {
                 throw new \Magento\Framework\Exception\NoSuchEntityException(
                     __('Invalid customer id %1', $addressData->getCustomerId())
@@ -70,12 +77,24 @@ public function validate(\Magento\Quote\Api\Data\AddressInterface $addressData)
             // check correspondence between customer id and address id
             if ($addressData->getCustomerId()) {
                 if ($address->getCustomerId() != $addressData->getCustomerId()) {
-                    throw new \Magento\Framework\Exception\InputException(
-                        __('Address with id %1 belongs to another customer', $addressData->getId())
+                    throw new \Magento\Framework\Exception\NoSuchEntityException(
+                        __('Invalid address id %1', $addressData->getId())
                     );
                 }
             }
         }
+
+        if ($addressData->getCustomerAddressId()) {
+            $applicableAddressIds = array_map(function($address) {
+                /** @var \Magento\Customer\Api\Data\AddressInterface $address */
+                return $address->getId();
+            }, $this->customerSession->getCustomerDataObject()->getAddresses());
+            if (!in_array($addressData->getCustomerAddressId(), $applicableAddressIds)) {
+                throw new \Magento\Framework\Exception\NoSuchEntityException(
+                    __('Invalid address id %1', $addressData->getCustomerAddressId())
+                );
+            }
+        }
         return true;
     }
 }

app/code/Magento/Quote/Test/Unit/Model/QuoteAddressValidatorTest.php

@@ -1,20 +1,15 @@
 <?php
 /**
- *
  * Copyright © 2015 Magento. All rights reserved.
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
 namespace Magento\Quote\Test\Unit\Model;
 
-use \Magento\Quote\Model\QuoteAddressValidator;
-
 class QuoteAddressValidatorTest extends \PHPUnit_Framework_TestCase
 {
     /**
-     * @var QuoteAddressValidator
+     * @var \Magento\Quote\Model\QuoteAddressValidator
      */
     protected $model;
 
@@ -31,7 +26,7 @@ class QuoteAddressValidatorTest extends \PHPUnit_Framework_TestCase
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $customerFactoryMock;
+    protected $customerRepositoryMock;
 
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
@@ -41,7 +36,7 @@ class QuoteAddressValidatorTest extends \PHPUnit_Framework_TestCase
     /**
      * @var \PHPUnit_Framework_MockObject_MockObject
      */
-    protected $customerMock;
+    protected $customerSessionMock;
 
     public function setUp()
     {
@@ -61,15 +56,20 @@ public function setUp()
             '',
             false
         );
-        $this->customerFactoryMock = $this->getMock(
-            '\Magento\Customer\Model\CustomerFactory', ['create', '__wakeup'], [], '', false);
-        $this->customerMock = $this->getMock('\Magento\Customer\Model\Customer', [], [], '', false);
-
+        $this->customerRepositoryMock = $this->getMock(
+            '\Magento\Customer\Api\CustomerRepositoryInterface',
+            [],
+            [],
+            '',
+            false
+        );
+        $this->customerSessionMock = $this->getMock('\Magento\Customer\Model\Session', [], [], '', false);
         $this->model = $this->objectManager->getObject(
             '\Magento\Quote\Model\QuoteAddressValidator',
             [
                 'addressRepository' => $this->addressRepositoryMock,
-                'customerFactory' => $this->customerFactoryMock
+                'customerRepository' => $this->customerRepositoryMock,
+                'customerSession' => $this->customerSessionMock
             ]
         );
     }
@@ -81,16 +81,12 @@ public function setUp()
     public function testValidateInvalidCustomer()
     {
         $customerId = 100;
-
-        $this->customerFactoryMock->expects($this->once())
-            ->method('create')
-            ->will($this->returnValue($this->customerMock));
-
-        $this->customerMock->expects($this->once())->method('load')->with($customerId);
-        $this->customerMock->expects($this->once())->method('getId')->will($this->returnValue(null));
-
         $address = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
+        $customerMock = $this->getMock('\Magento\Customer\Api\Data\CustomerInterface');
+
         $address->expects($this->atLeastOnce())->method('getCustomerId')->willReturn($customerId);
+        $this->customerRepositoryMock->expects($this->once())->method('getById')->with($customerId)
+            ->willReturn($customerMock);
         $this->model->validate($address);
     }
 
@@ -100,14 +96,13 @@ public function testValidateInvalidCustomer()
      */
     public function testValidateInvalidAddress()
     {
-        $this->customerFactoryMock->expects($this->never())->method('create');
-        $this->customerMock->expects($this->never())->method('load');
+        $address = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
+        $this->customerRepositoryMock->expects($this->never())->method('getById');
+        $address->expects($this->atLeastOnce())->method('getId')->willReturn(101);
 
         $this->addressRepositoryMock->expects($this->once())->method('getById')
             ->willThrowException(new \Magento\Framework\Exception\NoSuchEntityException());
 
-        $address = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
-        $address->expects($this->atLeastOnce())->method('getId')->willReturn(101);
         $this->model->validate($address);
     }
 
@@ -116,70 +111,76 @@ public function testValidateInvalidAddress()
      */
     public function testValidateNewAddress()
     {
-        $this->customerFactoryMock->expects($this->never())->method('create');
+        $this->customerRepositoryMock->expects($this->never())->method('getById');
         $this->addressRepositoryMock->expects($this->never())->method('getById');
-
         $address = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
         $this->assertTrue($this->model->validate($address));
     }
 
     /**
-     * @expectedException \Magento\Framework\Exception\InputException
-     * @expectedExceptionMessage Address with id 100 belongs to another customer
+     * @expectedException \Magento\Framework\Exception\NoSuchEntityException
+     * @expectedExceptionMessage Invalid address id 100
      */
     public function testValidateWithAddressOfOtherCustomer()
     {
         $addressCustomer = 100;
         $addressId = 100;
-
         $address = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
+        $customerMock = $this->getMock('\Magento\Customer\Api\Data\CustomerInterface');
+
+        $this->customerRepositoryMock->expects($this->once())->method('getById')->with($addressCustomer)
+            ->willReturn($customerMock);
+        $this->addressRepositoryMock->expects($this->once())->method('getById')->willReturn($this->quoteAddressMock);
+        $customerMock->expects($this->once())->method('getId')->willReturn(42);
         $address->expects($this->atLeastOnce())->method('getId')->willReturn($addressId);
         $address->expects($this->atLeastOnce())->method('getCustomerId')->willReturn($addressCustomer);
 
-        /** Customer mock */
-        $this->customerFactoryMock->expects($this->once())
-            ->method('create')
-            ->will($this->returnValue($this->customerMock));
-
-        $this->customerMock->expects($this->once())->method('load')->with($addressCustomer);
-        $this->customerMock->expects($this->once())->method('getId')->will($this->returnValue($addressCustomer));
+        $this->quoteAddressMock->expects($this->once())->method('getCustomerId')->willReturn(42);
+        $this->model->validate($address);
+    }
 
-        /** Quote address mock */
-        $this->addressRepositoryMock->expects($this->once())->method('getById')
-            ->will($this->returnValue($this->quoteAddressMock));
+    /**
+     * @expectedException \Magento\Framework\Exception\NoSuchEntityException
+     * @expectedExceptionMessage Invalid address id 42
+     */
+    public function testValidateWithInvalidCustomerAddressId()
+    {
+        $customerAddressId = 42;
+        $address = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
+        $customerAddress = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
+        $customerMock = $this->getMock('\Magento\Customer\Api\Data\CustomerInterface');
 
-        $this->quoteAddressMock->expects($this->atLeastOnce())->method('getCustomerId')
-            ->will($this->returnValue(10));
+        $address->expects($this->atLeastOnce())->method('getCustomerAddressId')->willReturn($customerAddressId);
+        $this->customerSessionMock->expects($this->once())->method('getCustomerDataObject')->willReturn($customerMock);
+        $customerMock->expects($this->once())->method('getAddresses')->willReturn([$customerAddress]);
+        $customerAddress->expects($this->once())->method('getId')->willReturn(43);
 
-        /** Validate */
         $this->model->validate($address);
     }
 
     public function testValidateWithValidAddress()
     {
         $addressCustomer = 100;
         $addressId = 100;
+        $customerAddressId = 42;
 
         $address = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
         $address->expects($this->atLeastOnce())->method('getId')->willReturn($addressId);
         $address->expects($this->atLeastOnce())->method('getCustomerId')->willReturn($addressCustomer);
+        $address->expects($this->atLeastOnce())->method('getCustomerAddressId')->willReturn($customerAddressId);
+        $customerMock = $this->getMock('\Magento\Customer\Api\Data\CustomerInterface');
+        $customerAddress = $this->getMock('\Magento\Quote\Api\Data\AddressInterface');
 
-        /** Customer mock */
-        $this->customerFactoryMock->expects($this->once())
-            ->method('create')
-            ->will($this->returnValue($this->customerMock));
+        $this->customerRepositoryMock->expects($this->once())->method('getById')->willReturn($customerMock);
+        $customerMock->expects($this->once())->method('getId')->willReturn($addressCustomer);
 
-        $this->customerMock->expects($this->once())->method('load')->with($addressCustomer);
-        $this->customerMock->expects($this->once())->method('getId')->will($this->returnValue($addressCustomer));
+        $this->addressRepositoryMock->expects($this->once())->method('getById')->willReturn($this->quoteAddressMock);
+        $this->quoteAddressMock->expects($this->any())->method('getCustomerId')->willReturn($addressCustomer);
 
-        /** Quote address mock */
-        $this->addressRepositoryMock->expects($this->once())->method('getById')
-            ->will($this->returnValue($this->quoteAddressMock));
-
-        $this->quoteAddressMock->expects($this->any())->method('getCustomerId')
-            ->will($this->returnValue($addressCustomer));
+        $this->customerSessionMock->expects($this->once())->method('getCustomerDataObject')->willReturn($customerMock);
+        $customerMock->expects($this->once())->method('getAddresses')->willReturn([$customerAddress]);
+        $customerAddress->expects($this->once())->method('getId')->willReturn(42);
 
-        /** Validate */
-        $this->model->validate($address);
+        $this->assertTrue($this->model->validate($address));
     }
 }