Merge pull request #7447 from magento-cia/2.4.5-bugfixes-020822

Bugfixes

Author: admanesachin

app/code/Magento/Checkout/Model/DefaultConfigProvider.php

@@ -31,6 +31,7 @@
 use Magento\Quote\Model\QuoteIdMaskFactory;
 use Magento\Store\Model\ScopeInterface;
 use Magento\Ui\Component\Form\Element\Multiline;
+use Magento\Framework\Escaper;
 
 /**
  * Default Config Provider for checkout
@@ -191,6 +192,11 @@ class DefaultConfigProvider implements ConfigProviderInterface
      */
     private $configPostProcessor;
 
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * @param CheckoutHelper $checkoutHelper
      * @param Session $checkoutSession
@@ -222,6 +228,7 @@ class DefaultConfigProvider implements ConfigProviderInterface
      * @param AddressMetadataInterface $addressMetadata
      * @param AttributeOptionManagementInterface $attributeOptionManager
      * @param CustomerAddressDataProvider|null $customerAddressData
+     * @param Escaper|null $escaper
      * @codeCoverageIgnore
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
@@ -255,7 +262,8 @@ public function __construct(
         CaptchaConfigPostProcessorInterface $configPostProcessor,
         AddressMetadataInterface $addressMetadata = null,
         AttributeOptionManagementInterface $attributeOptionManager = null,
-        CustomerAddressDataProvider $customerAddressData = null
+        CustomerAddressDataProvider $customerAddressData = null,
+        Escaper $escaper = null
     ) {
         $this->checkoutHelper = $checkoutHelper;
         $this->checkoutSession = $checkoutSession;
@@ -289,6 +297,7 @@ public function __construct(
         $this->customerAddressData = $customerAddressData ?:
             ObjectManager::getInstance()->get(CustomerAddressDataProvider::class);
         $this->configPostProcessor = $configPostProcessor;
+        $this->escaper = $escaper ?? ObjectManager::getInstance()->get(Escaper::class);
     }
 
     /**
@@ -343,6 +352,7 @@ public function getConfig()
             'shipping/shipping_policy/shipping_policy_content',
             ScopeInterface::SCOPE_STORE
         );
+        $policyContent = $this->escaper->escapeHtml($policyContent);
         $output['shippingPolicy'] = [
             'isEnabled' => $this->scopeConfig->isSetFlag(
                 'shipping/shipping_policy/enable_shipping_policy',

app/code/Magento/Customer/Controller/Account/Confirmation.php

@@ -3,6 +3,8 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
+
 namespace Magento\Customer\Controller\Account;
 
 use Magento\Customer\Api\AccountManagementInterface;
@@ -13,22 +15,26 @@
 use Magento\Framework\App\Action\HttpPostActionInterface as HttpPostActionInterface;
 use Magento\Framework\App\Action\Context;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Controller\Result\Redirect;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Exception\State\InvalidTransitionException;
+use Magento\Framework\View\Result\Page;
 use Magento\Framework\View\Result\PageFactory;
 use Magento\Store\Model\StoreManagerInterface;
 
 /**
- * Class Confirmation. Send confirmation link to specified email
+ * Send confirmation link to specified email
  */
 class Confirmation extends AbstractAccount implements HttpGetActionInterface, HttpPostActionInterface
 {
     /**
-     * @var \Magento\Store\Model\StoreManagerInterface
+     * @var StoreManagerInterface
      */
     protected $storeManager;
 
     /**
-     * @var \Magento\Customer\Api\AccountManagementInterface
+     * @var AccountManagementInterface
      */
     protected $customerAccountManagement;
 
@@ -53,7 +59,7 @@ class Confirmation extends AbstractAccount implements HttpGetActionInterface, Ht
      * @param PageFactory $resultPageFactory
      * @param StoreManagerInterface $storeManager
      * @param AccountManagementInterface $customerAccountManagement
-     * @param Url $customerUrl
+     * @param Url|null $customerUrl
      */
     public function __construct(
         Context $context,
@@ -74,48 +80,52 @@ public function __construct(
     /**
      * Send confirmation link to specified email
      *
-     * @return \Magento\Framework\Controller\Result\Redirect|\Magento\Framework\View\Result\Page
+     * @return Redirect|Page
+     * @throws LocalizedException
      */
     public function execute()
     {
         if ($this->session->isLoggedIn()) {
-            /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
-            $resultRedirect = $this->resultRedirectFactory->create();
-            $resultRedirect->setPath('*/*/');
-            return $resultRedirect;
+            return $this->getRedirect('*/*/');
         }
 
-        // try to confirm by email
         $email = $this->getRequest()->getPost('email');
-        if ($email) {
-            /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
-            $resultRedirect = $this->resultRedirectFactory->create();
 
+        if ($email) {
             try {
                 $this->customerAccountManagement->resendConfirmation(
                     $email,
                     $this->storeManager->getStore()->getWebsiteId()
                 );
                 $this->messageManager->addSuccessMessage(__('Please check your email for confirmation key.'));
+                return $this->getRedirect('*/*/index', ['_secure' => true]);
             } catch (InvalidTransitionException $e) {
                 $this->messageManager->addSuccessMessage(__('This email does not require confirmation.'));
-            } catch (\Exception $e) {
-                $this->messageManager->addExceptionMessage($e, __('Wrong email.'));
-                $resultRedirect->setPath('*/*/*', ['email' => $email, '_secure' => true]);
-                return $resultRedirect;
+                return $this->getRedirect('*/*/index', ['_secure' => true]);
+            } catch (NoSuchEntityException $e) {
+                $this->messageManager->addErrorMessage(__('Wrong email.'));
             }
-            $this->session->setUsername($email);
-            $resultRedirect->setPath('*/*/index', ['_secure' => true]);
-            return $resultRedirect;
         }
 
-        /** @var \Magento\Framework\View\Result\Page $resultPage */
         $resultPage = $this->resultPageFactory->create();
-        $resultPage->getLayout()->getBlock('accountConfirmation')->setEmail(
-            $this->getRequest()->getParam('email', $email)
-        )->setLoginUrl(
-            $this->customerUrl->getLoginUrl()
-        );
+        $resultPage->getLayout()->getBlock('accountConfirmation')
+            ->setEmail($email)
+            ->setLoginUrl($this->customerUrl->getLoginUrl());
         return $resultPage;
     }
+
+    /**
+     * Returns redirect object
+     *
+     * @param string $path
+     * @param array $params
+     * @return Redirect
+     */
+    private function getRedirect(string $path, array $params = []): Redirect
+    {
+        $resultRedirect = $this->resultRedirectFactory->create();
+        $resultRedirect->setPath($path, $params);
+
+        return $resultRedirect;
+    }
 }

app/code/Magento/Customer/Model/Plugin/UpdateCustomer.php

@@ -11,6 +11,8 @@
 use Magento\Framework\Webapi\Rest\Request as RestRequest;
 use Magento\Customer\Api\Data\CustomerInterface;
 use Magento\Customer\Api\CustomerRepositoryInterface;
+use Magento\Authorization\Model\UserContextInterface;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Update customer by id from request param
@@ -22,12 +24,19 @@ class UpdateCustomer
      */
     private $request;
 
+    /**
+     * @var UserContextInterface
+     */
+    private $userContext;
+
     /**
      * @param RestRequest $request
+     * @param UserContextInterface|null $userContext
      */
-    public function __construct(RestRequest $request)
+    public function __construct(RestRequest $request, ?UserContextInterface $userContext = null)
     {
         $this->request = $request;
+        $this->userContext = $userContext ?? ObjectManager::getInstance()->get(UserContextInterface::class);
     }
 
     /**
@@ -43,10 +52,14 @@ public function beforeSave(
         CustomerInterface $customer,
         ?string $passwordHash = null
     ): array {
-        $customerId = $this->request->getParam('customerId');
+        $customerSessionId = $this->userContext->getUserType() === $this->userContext::USER_TYPE_CUSTOMER ?
+                             (int)$this->userContext->getUserId() : 0;
+        $customerId = (int)$this->request->getParam('customerId');
         $bodyParams = $this->request->getBodyParams();
         if (!isset($bodyParams['customer']['Id']) && $customerId) {
-            $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
+            if ($customerId === $customerSessionId || $customerSessionId === 0) {
+                $customer = $this->getUpdatedCustomer($customerRepository->getById($customerId), $customer);
+            }
         }
 
         return [$customer, $passwordHash];

app/code/Magento/Quote/Plugin/Webapi/Controller/Rest/ValidateQuoteData.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+namespace Magento\Quote\Plugin\Webapi\Controller\Rest;
+
+use Magento\Webapi\Controller\Rest\ParamsOverrider;
+
+/**
+ * Validates Quote Data
+ */
+class ValidateQuoteData
+{
+    private const QUOTE_KEY = 'quote';
+
+    /**
+     * Before Overriding to validate data
+     *
+     * @param ParamsOverrider $subject
+     * @param array $inputData
+     * @param array $parameters
+     * @return array[]
+     *
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+
+    public function beforeOverride(ParamsOverrider $subject, array $inputData, array $parameters): array
+    {
+        if (isset($inputData[self:: QUOTE_KEY])) {
+            $inputData[self:: QUOTE_KEY] = $this->validateInputData($inputData[self:: QUOTE_KEY]);
+        };
+        return [$inputData, $parameters];
+    }
+
+    /**
+     * Validates InputData
+     *
+     * @param array $inputData
+     * @return array
+     */
+    private function validateInputData(array $inputData): array
+    {
+        $result = [];
+
+        $data = array_filter($inputData, function ($k) use (&$result) {
+            $key = is_string($k) ? strtolower($k) : $k;
+            return !isset($result[$key]) && ($result[$key] = true);
+        }, ARRAY_FILTER_USE_KEY);
+
+        return array_map(function ($value) {
+            return is_array($value) ? $this->validateInputData($value) : $value;
+        }, $data);
+    }
+}

app/code/Magento/Quote/Test/Unit/Plugin/Webapi/Controller/Rest/ValidateQuoteDataTest.php

@@ -0,0 +1,113 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Quote\Test\Unit\Plugin\Webapi\Controller\Rest;
+
+use Exception;
+use Magento\Framework\App\ObjectManager;
+use Magento\Quote\Plugin\Webapi\Controller\Rest\ValidateQuoteData;
+use PHPUnit\Framework\TestCase;
+use ReflectionClass;
+
+/**
+ * Unit test for ValidateQuoteData plugin
+ */
+class ValidateQuoteDataTest extends TestCase
+{
+
+    /**
+     * @var ValidateQuoteData
+     */
+    private $validateQuoteDataObject;
+
+    /**
+     * @var ReflectionClass
+     *
+     */
+    private $reflectionObject;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp(): void
+    {
+        $this->validateQuoteDataObject = ObjectManager::getInstance()->get(ValidateQuoteData::class);
+        $this->reflectionObject = new ReflectionClass(get_class($this->validateQuoteDataObject));
+    }
+    /**
+     * Test if the quote array is valid
+     *
+     * @param array $array
+     * @param array $result
+     * @dataProvider dataProviderInputData
+     * @throws Exception
+     */
+    public function testValidateInputData(array $array, array $result)
+    {
+        $this->assertEquals(
+            $result,
+            $this->invokeValidateInputData('validateInputData', [$array])
+        );
+    }
+
+    /**
+     * @param string $methodName
+     * @param array $arguments
+     * @return mixed
+     * @throws Exception
+     */
+    private function invokeValidateInputData(string $methodName, array $arguments = [])
+    {
+        $validateInputDataMethod = $this->reflectionObject->getMethod($methodName);
+        $validateInputDataMethod->setAccessible(true);
+        return $validateInputDataMethod->invokeArgs($this->validateQuoteDataObject, $arguments);
+    }
+
+    /**
+     * @return array
+     */
+    public function dataProviderInputData(): array
+    {
+        return [
+            [
+                ['person' =>
+                    [
+                        'id' => -1,
+                        'Id' => 1,
+                        'name' =>
+                            [
+                                'firstName' => 'John',
+                                'LastName' => 'S'
+                            ],
+                        'isHavingVehicle' => 1,
+                        'address' =>
+                            [
+                                'street' => '4th Street',
+                                'Street' => '2nd Street',
+                                'city' => 'Atlanta'
+                            ],
+                    ]
+                ],
+                ['person' =>
+                    [
+                        'id' => -1,
+                        'name' =>
+                            [
+                                'firstName' => 'John',
+                                'LastName' => 'S'
+                            ],
+                        'isHavingVehicle' => 1,
+                        'address' =>
+                            [
+                                'street' => '4th Street',
+                                'city' => 'Atlanta'
+                            ],
+                    ]
+                ],
+            ]
+        ];
+    }
+}