ACP2E-1513: Customer suspects IDOR vulnerability

Anna Bukatar · Anna Bukatar · commit f84b45ac6edd · 2023-01-13T17:01:31.000-08:00
diff --git a/dev/tests/api-functional/testsuite/Magento/GraphQl/Quote/Customer/RemoveItemFromCartTest.php b/dev/tests/api-functional/testsuite/Magento/GraphQl/Quote/Customer/RemoveItemFromCartTest.php
@@ -7,6 +7,7 @@
 
 namespace Magento\GraphQl\Quote\Customer;
 
+use Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException;
 use Magento\GraphQl\Quote\GetMaskedQuoteIdByReservedOrderId;
 use Magento\GraphQl\Quote\GetQuoteItemIdByReservedQuoteIdAndSku;
 use Magento\Integration\Api\CustomerTokenServiceInterface;
@@ -147,13 +148,56 @@ public function testRemoveItemFromAnotherCustomerCart()
             'test_quote',
             'simple_product'
         );
+        $query = $this->getQuery($anotherCustomerQuoteMaskedId, $anotherCustomerQuoteItemId);
 
-        $this->expectExceptionMessage(
-            "The current user cannot perform operations on cart \"$anotherCustomerQuoteMaskedId\""
-        );
+        try {
+            $this->graphQlMutation(
+                $query,
+                [],
+                '',
+                $this->getHeaderMap('customer2@search.example.com')
+            );
+            $this->fail('ResponseContainsErrorsException was not thrown');
+        } catch (ResponseContainsErrorsException $e) {
+            $this->assertStringContainsString(
+                "The current user cannot perform operations on cart \"$anotherCustomerQuoteMaskedId\"",
+                $e->getMessage()
+            );
+            $cartQuery = $this->getCartQuery($anotherCustomerQuoteMaskedId);
+            $cart = $this->graphQlQuery(
+                $cartQuery,
+                [],
+                '',
+                $this->getHeaderMap('customer@search.example.com')
+            );
+            $this->assertTrue(count($cart['cart']['items']) > 0, 'The cart is empty');
+            $this->assertTrue(
+                $cart['cart']['items'][0]['product']['sku'] === 'simple_product',
+                'The cart doesn\'t contain product'
+            );
+        }
+    }
 
-        $query = $this->getQuery($anotherCustomerQuoteMaskedId, $anotherCustomerQuoteItemId);
-        $this->graphQlMutation($query, [], '', $this->getHeaderMap('customer2@search.example.com'));
+    /**
+     * @param string $maskedQuoteId
+     * @return string
+     */
+    private function getCartQuery(string $maskedQuoteId): string
+    {
+        return <<<QUERY
+{
+  cart(cart_id: "{$maskedQuoteId}") {
+    id
+    items {
+      id
+      quantity
+      product {
+        sku
+      }
+    }
+  }
+}
+QUERY;
     }
 
     /**
