Merge MAGETWO-92724 into 2.1.16-bugfixes-261018

Author: dvoskoboinikov

app/code/Magento/Customer/Block/Adminhtml/Group/Edit.php

@@ -57,6 +57,8 @@ public function __construct(
      * Update Save and Delete buttons. Remove Delete button if group can't be deleted.
      *
      * @return void
+     * @throws \Magento\Framework\Exception\LocalizedException
+     * @throws \Magento\Framework\Exception\NoSuchEntityException
      */
     protected function _construct()
     {
@@ -68,6 +70,23 @@ protected function _construct()
 
         $this->buttonList->update('save', 'label', __('Save Customer Group'));
         $this->buttonList->update('delete', 'label', __('Delete Customer Group'));
+        $this->buttonList->update(
+            'delete',
+            'onclick',
+            sprintf(
+                "deleteConfirm('%s','%s', %s)",
+                'Are you sure?',
+                $this->getDeleteUrl(),
+                json_encode(
+                    [
+                        'action' => '',
+                        'data' => [
+                            'form_key' => $this->getFormKey()
+                        ]
+                    ]
+                )
+            )
+        );
 
         $groupId = $this->coreRegistry->registry(RegistryConstants::CURRENT_GROUP_ID);
         if (!$groupId || $this->groupManagement->isReadonly($groupId)) {

app/code/Magento/Customer/Controller/Adminhtml/Group/Delete.php

@@ -7,16 +7,22 @@
 namespace Magento\Customer\Controller\Adminhtml\Group;
 
 use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Framework\Exception\NotFoundException;
 
 class Delete extends \Magento\Customer\Controller\Adminhtml\Group
 {
     /**
      * Delete customer group.
      *
      * @return \Magento\Backend\Model\View\Result\Redirect
+     * @throws NotFoundException
      */
     public function execute()
     {
+        if (!$this->getRequest()->isPost()) {
+            throw new NotFoundException(__('Page not found'));
+        }
+
         $id = $this->getRequest()->getParam('id');
         /** @var \Magento\Backend\Model\View\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();

dev/tests/integration/testsuite/Magento/Customer/Controller/Adminhtml/GroupTest.php

@@ -7,6 +7,7 @@
 
 use Magento\Framework\Message\MessageInterface;
 use Magento\TestFramework\Helper\Bootstrap;
+use Magento\Framework\Data\Form\FormKey;
 
 /**
  * @magentoAppArea adminhtml
@@ -80,6 +81,10 @@ public function testNewActionWithCustomerGroupDataInSession()
      */
     public function testDeleteActionNoGroupId()
     {
+        /** @var FormKey $formKey */
+        $formKey = $this->_objectManager->get(FormKey::class);
+        $this->getRequest()->setMethod('POST');
+        $this->getRequest()->setParam('form_key', $formKey->getFormKey());
         $this->dispatch('backend/customer/group/delete');
         $this->assertRedirect($this->stringStartsWith(self::BASE_CONTROLLER_URL));
     }
@@ -90,9 +95,16 @@ public function testDeleteActionNoGroupId()
     public function testDeleteActionExistingGroup()
     {
         $groupId = $this->findGroupIdWithCode(self::CUSTOMER_GROUP_CODE);
-        $this->getRequest()->setParam('id', $groupId);
+        /** @var FormKey $formKey */
+        $formKey = $this->_objectManager->get(FormKey::class);
+        $this->getRequest()->setMethod('POST');
+        $this->getRequest()->setParams(
+            [
+                'id' => $groupId,
+                'form_key' => $formKey->getFormKey()
+            ]
+        );
         $this->dispatch('backend/customer/group/delete');
-
         /**
          * Check that success message is set
          */
@@ -108,9 +120,16 @@ public function testDeleteActionExistingGroup()
      */
     public function testDeleteActionNonExistingGroupId()
     {
-        $this->getRequest()->setParam('id', 10000);
+        /** @var FormKey $formKey */
+        $formKey = $this->_objectManager->get(FormKey::class);
+        $this->getRequest()->setMethod('POST');
+        $this->getRequest()->setParams(
+            [
+                'id' => 10000,
+                'form_key' => $formKey->getFormKey()
+            ]
+        );
         $this->dispatch('backend/customer/group/delete');
-
         /**
          * Check that error message is set
          */