ACP2E-1776: Creating customer(-s) via Async REST API ignores group_id

Author: AnujNehra

app/code/Magento/Customer/Plugin/AccountManagementApi.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Customer\Plugin;
+
+use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Customer\Model\AccountManagementApi as SubjectAccountManagementApi;
+
+/**
+ * Plugin to validate anonymous request for synchronous operations contains group id.
+ */
+class AccountManagementApi
+{
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Customer::manage';
+
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     *
+     * @param AuthorizationInterface|null $authorization
+     */
+    public function __construct(
+        AuthorizationInterface $authorization = null
+    ) {
+        $objectManager = ObjectManager::getInstance();
+        $this->authorization = $authorization ?? $objectManager->get(AuthorizationInterface::class);
+    }
+
+    /**
+     * Validate groupId for anonymous request
+     *
+     * @param SubjectAccountManagementApi $subjectAccountManagementApi
+     * @param CustomerInterface $customer
+     * @return void
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     * @throws AuthorizationException
+     */
+    public function beforeCreateAccount(
+        SubjectAccountManagementApi $subjectAccountManagementApi,
+        CustomerInterface $customer
+    ): void {
+        $groupId = $customer->getGroupId();
+        if (isset($groupId) && !$this->authorization->isAllowed(self::ADMIN_RESOURCE)) {
+            $params = ['resources' => self::ADMIN_RESOURCE];
+            throw new AuthorizationException(
+                __("The consumer isn't authorized to access %resources.", $params)
+            );
+        }
+    }
+}

app/code/Magento/Customer/etc/di.xml

@@ -585,4 +585,9 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\Customer\Model\AccountManagementApi">
+        <plugin name="anonymousRequestForSynchronousOperations"
+                type="Magento\Customer\Plugin\AccountManagementApi"
+        />
+    </type>
 </config>

app/code/Magento/WebapiAsync/Plugin/AsynchronousOperations/MassSchedule.php

@@ -15,7 +15,7 @@
 use Magento\AsynchronousOperations\Model\MassSchedule as SubjectMassSchedule;
 
 /**
- * Plugin to check anonymous request contains group id.
+ * Plugin to validate anonymous request for asynchronous operations contains group id.
  */
 class MassSchedule
 {

app/code/Magento/WebapiAsync/composer.json

@@ -9,7 +9,8 @@
         "magento/framework": "*",
         "magento/module-webapi": "*",
         "magento/module-asynchronous-operations": "*",
-        "magento/module-store": "*"
+        "magento/module-store": "*",
+        "magento/module-customer": "*"
     },
     "suggest": {
         "magento/module-user": "*",