magento
diff --git a/‎app/code/Magento/Catalog/view/frontend/templates/product/view/attribute.phtml
Lines changed: 5 additions & 0 deletions b/‎app/code/Magento/Catalog/view/frontend/templates/product/view/attribute.phtml
Lines changed: 5 additions & 0 deletions
diff --git a/‎app/code/Magento/Checkout/Model/Session.php
Lines changed: 8 additions & 0 deletions b/‎app/code/Magento/Checkout/Model/Session.php
Lines changed: 8 additions & 0 deletions
diff --git a/‎app/code/Magento/CurrencySymbol/view/adminhtml/templates/grid.phtml
Lines changed: 31 additions & 24 deletions b/‎app/code/Magento/CurrencySymbol/view/adminhtml/templates/grid.phtml
Lines changed: 31 additions & 24 deletions
diff --git a/‎app/code/Magento/User/Block/Role/Grid/User.php
Lines changed: 54 additions & 22 deletions b/‎app/code/Magento/User/Block/Role/Grid/User.php
Lines changed: 54 additions & 22 deletions
diff --git a/‎app/code/Magento/User/Block/User/Edit/Tab/Roles.php
Lines changed: 20 additions & 2 deletions b/‎app/code/Magento/User/Block/User/Edit/Tab/Roles.php
Lines changed: 20 additions & 2 deletions
diff --git a/‎app/code/Magento/User/Test/Unit/Block/Role/Grid/UserTest.php
Lines changed: 17 additions & 3 deletions b/‎app/code/Magento/User/Test/Unit/Block/Role/Grid/UserTest.php
Lines changed: 17 additions & 3 deletions
@@ -15,6 +15,11 @@
 <?php
 $_helper = $this->helper('Magento\Catalog\Helper\Output');
 $_product = $block->getProduct();
+
+if (!$_product instanceof \Magento\Catalog\Model\Product) {
+    return;
+}
+
 $_call = $block->getAtCall();
 $_code = $block->getAtCode();
 $_className = $block->getCssClass();
 
@@ -218,6 +218,14 @@ public function getQuote()
                         $quote = $this->quoteRepository->getActive($this->getQuoteId());
                     }
 
+                    $customerId = $this->_customer
+                        ? $this->_customer->getId()
+                        : $this->_customerSession->getCustomerId();
+                    if ($quote->getData('customer_id') && (int)$quote->getData('customer_id') !== (int)$customerId) {
+                        $quote = $this->quoteFactory->create();
+                        throw new \Magento\Framework\Exception\NoSuchEntityException();
+                    }
+
                     /**
                      * If current currency code of quote is not equal current currency code of store,
                      * need recalculate totals of quote. It is possible if customer use currency switcher or
 
@@ -5,57 +5,64 @@
  */
 
 // @codingStandardsIgnoreFile
-
 ?>
 <?php
 /**
- * @var \Magento\CurrencySymbol\Block\Adminhtml\System\Currencysymbol $block
+ * @var $block \Magento\CurrencySymbol\Block\Adminhtml\System\Currencysymbol
  */
-?>
 
-<form id="currency-symbols-form" action="<?= /* @escapeNotVerified */ $block->getFormActionUrl() ?>" method="post">
-    <input name="form_key" type="hidden" value="<?= /* @escapeNotVerified */ $block->getFormKey() ?>" />
+$escapeHelper = $this->helper(\Magento\Framework\EscapeHelper::class);
+?>
+<form id="currency-symbols-form" action="<?php echo $escapeHelper->escapeHtmlAttr($block->getFormActionUrl()) ?>" method="post">
+    <input name="form_key" type="hidden" value="<?php echo $escapeHelper->escapeHtmlAttr($block->getFormKey()) ?>" />
     <fieldset class="admin__fieldset">
         <?php foreach ($block->getCurrencySymbolsData() as $code => $data): ?>
         <div class="admin__field _required">
-            <label class="admin__field-label" for="custom_currency_symbol<?php /* @escapeNotVerified */ echo $code; ?>">
-                <span><?php /* @escapeNotVerified */ echo $code; ?> (<?php /* @escapeNotVerified */ echo $data['displayName']; ?>)</span>
+            <label class="admin__field-label" for="custom_currency_symbol<?php echo $escapeHelper->escapeHtmlAttr($code); ?>">
+                <span><?php echo $block->escapeHtml($code); ?> (<?php echo $block->escapeHtml($data['displayName']); ?>)</span>
             </label>
             <div class="admin__field-control">
-                <input id="custom_currency_symbol<?php /* @escapeNotVerified */ echo $code; ?>"
+                <input id="custom_currency_symbol<?php echo $escapeHelper->escapeHtmlAttr($code); ?>"
                        class="required-entry admin__control-text"
                        type="text"
-                       value="<?php echo $this->helper(\Magento\Framework\EscapeHelper::class)->escapeHtmlAttr($data['displaySymbol']); ?>"
+                       value="<?php echo $escapeHelper->escapeHtmlAttr($data['displaySymbol']); ?>"
                        <?php echo $data['inherited'] ? ' disabled="disabled"' : '';?>
-                       name="custom_currency_symbol[<?php /* @escapeNotVerified */ echo $code; ?>]">
+                       name="custom_currency_symbol[<?php echo $escapeHelper->escapeHtmlAttr($code); ?>]">
                 <div class="admin__field admin__field-option">
-                    <input id="custom_currency_symbol_inherit<?php /* @escapeNotVerified */ echo $code; ?>"
+                    <input id="custom_currency_symbol_inherit<?php echo $escapeHelper->escapeHtmlAttr($code); ?>"
                            class="admin__control-checkbox" type="checkbox"
-                           onclick="toggleUseDefault(<?php /* @escapeNotVerified */ echo '\'' . $code . '\',\'' . $block->escapeQuote($data['parentSymbol'], true) . '\''; ?>)"
+                           onclick="toggleUseDefault(<?php /* @noEscape */ echo '\'' . $escapeHelper->escapeHtmlAttr($block->escapeQuote($code, true)) . '\',\'' . $block->escapeQuote($data['parentSymbol'], true) . '\''; ?>)"
                             <?php echo $data['inherited'] ? ' checked="checked"' : ''; ?>
                            value="1"
-                           name="inherit_custom_currency_symbol[<?php /* @escapeNotVerified */ echo $code; ?>]">
-                    <label class="admin__field-label" for="custom_currency_symbol_inherit<?php /* @escapeNotVerified */ echo $code; ?>"><span><?php /* @escapeNotVerified */ echo $block->getInheritText(); ?></span></label>
+                           name="inherit_custom_currency_symbol[<?php echo $escapeHelper->escapeHtmlAttr($code); ?>]">
+                    <label class="admin__field-label" for="custom_currency_symbol_inherit<?php echo $escapeHelper->escapeHtmlAttr($code); ?>"><span><?php echo $block->escapeHtml($block->getInheritText()); ?></span></label>
                 </div>
             </div>
         </div>
         <?php endforeach; ?>
     </fieldset>
 </form>
 <script>
-require(['jquery', "mage/mage", 'prototype'], function(jQuery){
+require(['jquery', 'mage/mage'], function (jQuery){
+    jQuery('#currency-symbols-form')
+        .mage('form')
+        .mage('validation');
 
-    jQuery('#currency-symbols-form').mage('form').mage('validation');
+    /**
+     * Toggle the field to use the default value
+     *
+     * @param {String} code
+     * @param {String} value
+     */
+    function toggleUseDefault(code, value) {
+        var checkbox = jQuery('#custom_currency_symbol_inherit' + code),
+            input = jQuery('#custom_currency_symbol' + code);
 
-    function toggleUseDefault(code, value)
-    {
-        checkbox = $('custom_currency_symbol_inherit'+code);
-        input = $('custom_currency_symbol'+code);
-        if (checkbox.checked) {
-            input.value = value;
-            input.disabled = true;
+        if (checkbox.is(':checked')) {
+            input.val(value);
+            input.prop('disabled', true);
         } else {
-            input.disabled = false;
+            input.prop('disabled', false);
         }
     }
 
 
@@ -81,6 +81,8 @@ protected function _construct()
     }
 
     /**
+     * Adds column filter to collection
+     *
      * @param Column $column
      * @return $this
      */
@@ -105,6 +107,8 @@ protected function _addColumnFilterToCollection($column)
     }
 
     /**
+     * Prepares collection
+     *
      * @return $this
      */
     protected function _prepareCollection()
@@ -117,6 +121,8 @@ protected function _prepareCollection()
     }
 
     /**
+     * Prepares columns
+     *
      * @return $this
      */
     protected function _prepareColumns()
@@ -173,52 +179,51 @@ protected function _prepareColumns()
     }
 
     /**
+     * Gets grid url
+     *
      * @return string
+     * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)
      */
     public function getGridUrl()
     {
-        $roleId = $this->getRequest()->getParam('rid');
+        $roleId =  $this->escapeHtml($this->getRequest()->getParam('rid'));
         return $this->getUrl('*/*/editrolegrid', ['rid' => $roleId]);
     }
 
     /**
+     * Gets users
+     *
      * @param bool $json
      * @return string|array
      */
     public function getUsers($json = false)
     {
-        if ($this->getRequest()->getParam('in_role_user') != "") {
-            return $this->getRequest()->getParam('in_role_user');
+        $inRoleUser = $this->getRequest()->getParam('in_role_user');
+        if ($inRoleUser) {
+            if ($json) {
+                return $this->getJSONString($inRoleUser);
+            }
+            return $this->_escaper->escapeJs($this->escapeHtml($inRoleUser));
         }
-        $roleId = $this->getRequest()->getParam(
-            'rid'
-        ) > 0 ? $this->getRequest()->getParam(
-            'rid'
-        ) : $this->_coreRegistry->registry(
-            'RID'
-        );
-
+        $roleId = $this->getRoleId();
         $users = $this->getUsersFormData();
         if (false === $users) {
             $users = $this->_roleFactory->create()->setId($roleId)->getRoleUsers();
         }
-        if (sizeof($users) > 0) {
+        if (!empty($users)) {
             if ($json) {
                 $jsonUsers = [];
-                foreach ($users as $usrid) {
-                    $jsonUsers[$usrid] = 0;
+                foreach ($users as $userid) {
+                    $jsonUsers[$userid] = 0;
                 }
                 return $this->_jsonEncoder->encode((object)$jsonUsers);
-            } else {
-                return array_values($users);
-            }
-        } else {
-            if ($json) {
-                return '{}';
-            } else {
-                return [];
             }
+            return array_values($users);
+        }
+        if ($json) {
+            return '{}';
         }
+        return [];
     }
 
     /**
@@ -239,6 +244,7 @@ protected function getUsersFormData()
      * Restore Users Form Data from the registry
      *
      * @return array|bool
+     * @SuppressWarnings(PHPMD.DiscouragedFunctionsSniff)
      */
     protected function restoreUsersFormData()
     {
@@ -252,4 +258,30 @@ protected function restoreUsersFormData()
 
         return false;
     }
+
+    /**
+     * Gets role ID
+     *
+     * @return string
+     */
+    private function getRoleId()
+    {
+        $roleId = $this->getRequest()->getParam('rid');
+        if ($roleId <= 0) {
+            $roleId = $this->_coreRegistry->registry('RID');
+        }
+        return $roleId;
+    }
+
+    /**
+     * Gets JSON string
+     *
+     * @param string $input
+     * @return string
+     */
+    private function getJSONString($input)
+    {
+        $output = json_decode($input);
+        return $output ? $this->_jsonEncoder->encode($output) : '{}';
+    }
 }
@@ -7,6 +7,9 @@
 
 use Magento\Backend\Block\Widget\Grid\Column;
 
+/**
+ * Roles grid
+ */
 class Roles extends \Magento\Backend\Block\Widget\Grid\Extended
 {
     /**
@@ -64,6 +67,8 @@ protected function _construct()
     }
 
     /**
+     * Adds column filter to collection
+     *
      * @param Column $column
      * @return $this
      */
@@ -88,6 +93,8 @@ protected function _addColumnFilterToCollection($column)
     }
 
     /**
+     * Prepares collection
+     *
      * @return $this
      */
     protected function _prepareCollection()
@@ -99,6 +106,8 @@ protected function _prepareCollection()
     }
 
     /**
+     * Prepares columns
+     *
      * @return $this
      */
     protected function _prepareColumns()
@@ -122,6 +131,8 @@ protected function _prepareColumns()
     }
 
     /**
+     * Gets grid url
+     *
      * @return string
      */
     public function getGridUrl()
@@ -131,13 +142,20 @@ public function getGridUrl()
     }
 
     /**
+     * Get selected roles
+     *
      * @param bool $json
      * @return array|string
      */
     public function getSelectedRoles($json = false)
     {
-        if ($this->getRequest()->getParam('user_roles') != "") {
-            return $this->getRequest()->getParam('user_roles');
+        $userRoles = $this->getRequest()->getParam('user_roles');
+        if ($userRoles) {
+            if ($json) {
+                $result = json_decode($userRoles);
+                return $result ? $this->_jsonEncoder->encode($result) : '{}';
+            }
+            return $this->_escaper->escapeJs($this->escapeHtml($userRoles));
         }
         /* @var $user \Magento\User\Model\User */
         $user = $this->_coreRegistry->registry('permissions_user');
 
@@ -130,7 +130,6 @@ public function testGetUsersPositiveNumberOfRolesAndJsonFalse()
 
         $this->requestInterfaceMock->expects($this->at(0))->method('getParam')->willReturn("");
         $this->requestInterfaceMock->expects($this->at(1))->method('getParam')->willReturn($roleId);
-        $this->requestInterfaceMock->expects($this->at(2))->method('getParam')->willReturn($roleId);
 
         $this->registryMock->expects($this->once())
             ->method('registry')
@@ -157,7 +156,6 @@ public function testGetUsersPositiveNumberOfRolesAndJsonTrue()
 
         $this->requestInterfaceMock->expects($this->at(0))->method('getParam')->willReturn("");
         $this->requestInterfaceMock->expects($this->at(1))->method('getParam')->willReturn($roleId);
-        $this->requestInterfaceMock->expects($this->at(2))->method('getParam')->willReturn($roleId);
 
         $this->registryMock->expects($this->once())
             ->method('registry')
@@ -182,7 +180,6 @@ public function testGetUsersNoRolesAndJsonFalse()
 
         $this->requestInterfaceMock->expects($this->at(0))->method('getParam')->willReturn("");
         $this->requestInterfaceMock->expects($this->at(1))->method('getParam')->willReturn($roleId);
-        $this->requestInterfaceMock->expects($this->at(2))->method('getParam')->willReturn($roleId);
 
         $this->registryMock->expects($this->once())
             ->method('registry')
@@ -238,4 +235,21 @@ public function testPrepareColumns()
 
         $this->model->toHtml();
     }
+
+    public function testGetUsersCorrectInRoleUser()
+    {
+        $param = 'in_role_user';
+        $paramValue = '{"a":"role1","1":"role2","2":"role3"}';
+        $this->requestInterfaceMock->expects($this->once())->method('getParam')->with($param)->willReturn($paramValue);
+        $this->jsonEncoderMock->expects($this->once())->method('encode')->willReturn($paramValue);
+        $this->assertEquals($paramValue, $this->model->getUsers(true));
+    }
+
+    public function testGetUsersIncorrectInRoleUser()
+    {
+        $param = 'in_role_user';
+        $paramValue = 'not_JSON';
+        $this->requestInterfaceMock->expects($this->once())->method('getParam')->with($param)->willReturn($paramValue);
+        $this->assertEquals('{}', $this->model->getUsers(true));
+    }
 }