MC-41363: Customer API improvement

Author: OlgaVasyltsun

app/code/Magento/Customer/Model/Plugin/UpdateCustomer.php

@@ -11,6 +11,8 @@
 use Magento\Framework\Webapi\Rest\Request as RestRequest;
 use Magento\Customer\Api\Data\CustomerInterface;
 use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Customer\Model\Session;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Update customer by id from request param
@@ -22,12 +24,22 @@ class UpdateCustomer
      */
     private $request;
 
+    /**
+     * @var Session
+     */
+    private $session;
+
     /**
      * @param RestRequest $request
+     * @param Session|null $session
      */
-    public function __construct(RestRequest $request)
-    {
+    public function __construct(
+        RestRequest $request,
+        Session $session = null
+    ) {
         $this->request = $request;
+        $this->session = $session ?: ObjectManager::getInstance()
+            ->get(Session::class);
     }
 
     /**
@@ -45,7 +57,7 @@ public function beforeSave(
     ): array {
         $customerId = $this->request->getParam('customerId');
 
-        if ($customerId) {
+        if ($customerId && $customerId === $this->session->getData('customer_id')) {
             $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
         }
 

dev/tests/api-functional/testsuite/Magento/Customer/Api/AccountManagementMeTest.php

@@ -388,4 +388,27 @@ protected function resetTokenForCustomer($username, $password)
         $this->token = $this->tokenService->createCustomerAccessToken($username, $password);
         $this->customerRegistry->remove($this->customerRepository->get($username)->getId());
     }
+
+    /**
+     * @magentoApiDataFixture Magento/Customer/_files/customer_one_address.php
+     */
+    public function testGetOtherCustomerInfo()
+    {
+        $serviceInfo = [
+            'rest' => [
+                'resourcePath' => "/V1/customers/me?customerId=1",
+                'httpMethod' => \Magento\Framework\Webapi\Rest\Request::HTTP_METHOD_PUT,
+                'token' => $this->token,
+            ]
+        ];
+        $requestData = ['customer' => ["id" => "-1", "Id" => "1"]];
+        try {
+            $this->_webApiCall($serviceInfo, $requestData);
+        } catch (\Throwable $exception) {
+            if ($restResponse = json_decode($exception->getMessage(), true)) {
+                $exceptionMessage = $restResponse['message'];
+            }
+        }
+        $this->assertEquals('The customer email is missing. Enter and try again.', $exceptionMessage);
+    }
 }