Resolve security vulnerability with Synchronize Customers feature

yoshdog · yoshdog · commit 746ccfa26838 · 2020-04-24T11:35:50.000+10:00
All customers are requested to download and instal this release the extension.
diff --git a/src/app/code/community/Zendesk/Zendesk/Helper/Sync.php b/src/app/code/community/Zendesk/Zendesk/Helper/Sync.php
@@ -2,14 +2,14 @@
 
 class Zendesk_Zendesk_Helper_Sync extends Mage_Core_Helper_Abstract {
 
-    public function getCustomerData($customer){
+    public function syncCustomer($customer){
         if(!Mage::getStoreConfig('zendesk/general/customer_sync'))
             return;
 
         $user = null;
-        $email = $customer->getEmail();
-        $origEmail = $customer->getOrigData();
-        $origEmail = $origEmail['email'];
+        $currentEmail = $customer->getEmail();
+        $previousCustomerData = $customer->getOrigData();
+        $previousEmail = $previousCustomerData['email'];
         //Get Customer Group
         $groupId = $customer->getGroupId();
         $group = Mage::getModel('customer/group')->load($groupId);
@@ -48,7 +48,7 @@ public function getCustomerData($customer){
 
         $info['user'] = array(
             "name"          =>  $customer->getFirstname() . " " . $customer->getLastname(),
-            "email"         =>  $email,
+            "email"         =>  $currentEmail,
             "user_fields"       =>  array(
                 "group"         =>  $group->getCode(),
                 "name"          =>  $customer->getFirstname() . " " . $customer->getLastname(),
@@ -59,36 +59,20 @@ public function getCustomerData($customer){
             )
         );
 
-        if($origEmail && $origEmail !== $email) {
-            $user = Mage::getModel('zendesk/api_users')->find($origEmail);
-
-            if(isset($user['id'])) {
-                $data['identity'] = array(
-                    'type'      =>  'email',
-                    'value'     =>  $email,
-                    'verified'  =>  true
-                );
-                $identity = Mage::getModel('zendesk/api_users')->addIdentity($user['id'],$data);
-                if(isset($identity['id'])) {
-                    Mage::getModel('zendesk/api_users')->setPrimaryIdentity($user['id'], $identity['id']);
-                }
+        $user = Mage::getModel('zendesk/api_users')->find($currentEmail);
+        if($previousEmail !== $currentEmail) {
+            if(!isset($user['id'])) {
+                $user = $this->createAccount($info);
             }
         }
-        if(!$user) {
-            $user = Mage::getModel('zendesk/api_users')->find($email);
-        }
 
-        if(isset($user['id'])) {
-            $this->syncData($info);
-        } else {
-            $info['user']['verified'] = true;
-            $user = Mage::getModel('zendesk/api_users')->create($info);
-        }
         return $user;
     }
 
-    private function syncData($info)
+    private function createAccount($data)
     {
-        Mage::getModel('zendesk/api_users')->create($info);
+        $data['user']['verified'] = false;
+        $user = Mage::getModel('zendesk/api_users')->create($data);
+        return $user;
     }
 }
diff --git a/src/app/code/community/Zendesk/Zendesk/Model/Api/Users.php b/src/app/code/community/Zendesk/Zendesk/Model/Api/Users.php
@@ -55,70 +55,64 @@ public function all()
     {
         $page = 1;
         $users = array();
-        
+
         while($page && $response = $this->_call('users.json?page=' . $page)) {
             $users      = array_merge($users, $response['users']);
             $page       = is_null($response['next_page']) ? 0 : $page + 1;
         }
-    
+
         return $users;
     }
-    
+
     public function end($id)
     {
         if(!Zend_Validate::is($id, 'NotEmpty')) {
             throw new InvalidArgumentException('No ID value provided');
         }
-        
+
         $response = $this->_call('end_users/'. $id .'.json');
-        
+
         return (isset($response['user']) ? $response['user'] : null);
     }
-    
+
     public function getIdentities($id)
     {
         $response = $this->_call('users/' . $id . '/identities.json');
         return (isset($response['identities']) ? $response['identities'] : null);
     }
-    
-    public function setPrimaryIdentity($user_id, $identity_id)
-    {
-        $response = $this->_call('users/' . $user_id . '/identities/'.$identity_id.'/make_primary.json', null, 'PUT', null, true);
-        return (isset($response['identities']) ? $response['identities'] : null);
-    }
-    
+
     public function addIdentity($user_id, $data)
     {
         $response = $this->_call('users/' . $user_id . '/identities.json', null, 'POST', $data, true);
         return (isset($response['identity']) ? $response['identity'] : null);
     }
-    
+
     public function update($user_id, $user)
     {
         $response = $this->_call('users/' . $user_id . '.json', null, 'PUT', $user, true);
         return (isset($response['user']) ? $response['user'] : null);
     }
-    
+
     public function create($user)
     {
         $response = $this->_call('users.json', null, 'POST', $user, true);
         return (isset($response['user']) ? $response['user'] : null);
     }
-    
+
     public function createUserField($field)
     {
         $response = $this->_call('user_fields.json', null, 'POST', $field, true);
 
         if(!isset($response['user_field'])) {
             throw new Exception('No User Field specified.');
         }
- 
+
         return $response['user_field'];
     }
 
     /**
      * Fetch all user fields
-     * 
+     *
      * @return array $userFields
      */
     public function getUserFields()
@@ -129,7 +123,7 @@ public function getUserFields()
             $userFields = array_merge($userFields, $response['user_fields']);
             $page       = is_null($response['next_page']) ? 0 : $page + 1;
         }
-    
+
         return $userFields;
     }
 }
diff --git a/src/app/code/community/Zendesk/Zendesk/Model/Customer.php b/src/app/code/community/Zendesk/Zendesk/Model/Customer.php
@@ -14,7 +14,7 @@ public function syncronize(){
             Mage::log('Synchronization started', null, 'zendesk.log');
             try {
                 Mage::log('Synchronizing customer with id '.$customer->getId(), null, 'zendesk.log');
-                $customerData = Mage::helper('zendesk/sync')->getCustomerData($customer);
+                $customerData = Mage::helper('zendesk/sync')->syncCustomer($customer);
                 $zendeskId = $customerData['id'];
                 $customer->setZendeskId($zendeskId);
                 $customer->save();
@@ -25,8 +25,6 @@ public function syncronize(){
                 return;
             }
             Mage::log('Synchronization completed successfully', null, 'zendesk.log');
-
-
         }
     }
 }
diff --git a/src/app/code/community/Zendesk/Zendesk/Model/Observer.php b/src/app/code/community/Zendesk/Zendesk/Model/Observer.php
@@ -104,110 +104,18 @@ public function addTicketButton(Varien_Event_Observer $event)
             ));
         }
     }
-    
+
     public function changeIdentity(Varien_Event_Observer $event)
     {
-        if(!Mage::getStoreConfig('zendesk/general/customer_sync'))
-            return;
-        
-        $user = null;
         $customer = $event->getCustomer();
-        $email = $customer->getEmail();
-        $orig_email = $customer->getOrigData();
-        $orig_email = $orig_email['email'];
-        
-        //Get Customer Group
-        $group_id = $customer->getGroupId();
-        $group = Mage::getModel('customer/group')->load($group_id);
-        
-        //Get Customer Last Login Date
-        $log_customer = Mage::getModel('log/customer')->loadByCustomer($customer); 
-        if ($log_customer->getLoginAt())
-            $logged_in = date("Y-m-d\TH:i:s\Z",strtotime($log_customer->getLoginAt()));
-        else
-            $logged_in = "";
-        
-        //Get Customer Sales Statistics
-        $order_totals = Mage::getResourceModel('sales/order_collection');
-        $lifetime_sale = 0;
-        $average_sale = 0;
-        
-        if (is_object($order_totals)) {
-            $order_totals
-                ->addFieldToFilter('customer_id', $customer->getId())
-                ->addFieldToFilter('status', Mage_Sales_Model_Order::STATE_COMPLETE);
-            
-            $order_totals->getSelect()
-                ->reset(Zend_Db_Select::COLUMNS)
-                ->columns(new Zend_Db_Expr("SUM(grand_total) as total"))
-                ->columns(new Zend_Db_Expr("AVG(grand_total) as avg_total"))
-                ->group('customer_id');
-            
-            if (count($order_totals) > 0) {
-                $sum = (float) $order_totals->getFirstItem()->getTotal();
-                $avg = (float) $order_totals->getFirstItem()->getAvgTotal();
-            
-                $lifetime_sale = Mage::helper('core')->currency($sum, true, false);
-                $average_sale = Mage::helper('core')->currency($avg, true, false);
-            }
-        }
-        
-        $info['user'] = array(
-                "name"          =>  $customer->getFirstname() . " " . $customer->getLastname(),
-                "email"         =>  $email,
-                "user_fields"       =>  array(
-                    "group"         =>  $group->getCode(),
-                    "name"          =>  $customer->getFirstname() . " " . $customer->getLastname(),
-                    "id"            =>  $customer->getId(),
-                    "logged_in"     =>  $logged_in,
-                    "average_sale"  =>  $average_sale,
-                    "lifetime_sale" =>  $lifetime_sale
-                )
-            ); 
-        
-        if($orig_email && $orig_email !== $email) {
-            $user = Mage::getModel('zendesk/api_users')->find($orig_email);
-            
-            if(isset($user['id'])) {
-                $data['identity'] = array(
-                    'type'      =>  'email',
-                    'value'     =>  $email,
-                    'verified'  =>  true
-                );
-                $identity = Mage::getModel('zendesk/api_users')->addIdentity($user['id'],$data);
-                if(isset($identity['id'])) {
-                    Mage::getModel('zendesk/api_users')->setPrimaryIdentity($user['id'], $identity['id']);
-                }
-            }
-        }
-
-        if(!$user) {
-            $user = Mage::getModel('zendesk/api_users')->find($email);
-        }
-        
-        if(isset($user['id'])) {
-            $this->syncData($user['id'], $info);
-        } else {
-            $info['user']['verified'] = true;
-            $this->createAccount($info);
-        }
-    }
-    
-    public function syncData($user_id, $data)
-    {
-        Mage::getModel('zendesk/api_users')->update($user_id, $data);
+        Mage::helper('zendesk/sync')->syncCustomer($customer);
     }
-    
-    public function createAccount($data)
-    {
-        Mage::getModel('zendesk/api_users')->create($data);
-    }
-    
+
     public function checkSsoRedirect($user)
     {
         if (
-            Mage::helper('zendesk')->isSSOAdminUsersEnabled() && 
-            Mage::app()->getRequest()->getControllerName() === 'zendesk' && 
+            Mage::helper('zendesk')->isSSOAdminUsersEnabled() &&
+            Mage::app()->getRequest()->getControllerName() === 'zendesk' &&
             Mage::app()->getRequest()->getActionName() === 'authenticate'
         ) {
             Mage::app()->getResponse()

Original file line number	Diff line number	Diff line change
`@@ -55,70 +55,64 @@ public function all()`
`55`	`55`	`{`
`56`	`56`	`$page = 1;`
`57`	`57`	`$users = array();`
`58`		`-`
	`58`	`+`
`59`	`59`	`while($page && $response = $this->_call('users.json?page=' . $page)) {`
`60`	`60`	`$users = array_merge($users, $response['users']);`
`61`	`61`	`$page = is_null($response['next_page']) ? 0 : $page + 1;`
`62`	`62`	`}`
`63`		`-`
	`63`	`+`
`64`	`64`	`return $users;`
`65`	`65`	`}`
`66`		`-`
	`66`	`+`
`67`	`67`	`public function end($id)`
`68`	`68`	`{`
`69`	`69`	`if(!Zend_Validate::is($id, 'NotEmpty')) {`
`70`	`70`	`throw new InvalidArgumentException('No ID value provided');`
`71`	`71`	`}`
`72`		`-`
	`72`	`+`
`73`	`73`	`$response = $this->_call('end_users/'. $id .'.json');`
`74`		`-`
	`74`	`+`
`75`	`75`	`return (isset($response['user']) ? $response['user'] : null);`
`76`	`76`	`}`
`77`		`-`
	`77`	`+`
`78`	`78`	`public function getIdentities($id)`
`79`	`79`	`{`
`80`	`80`	`$response = $this->_call('users/' . $id . '/identities.json');`
`81`	`81`	`return (isset($response['identities']) ? $response['identities'] : null);`
`82`	`82`	`}`
`83`		`-`
`84`		`- public function setPrimaryIdentity($user_id, $identity_id)`
`85`		`- {`
`86`		`- $response = $this->_call('users/' . $user_id . '/identities/'.$identity_id.'/make_primary.json', null, 'PUT', null, true);`
`87`		`- return (isset($response['identities']) ? $response['identities'] : null);`
`88`		`- }`
`89`		`-`
	`83`	`+`
`90`	`84`	`public function addIdentity($user_id, $data)`
`91`	`85`	`{`
`92`	`86`	`$response = $this->_call('users/' . $user_id . '/identities.json', null, 'POST', $data, true);`
`93`	`87`	`return (isset($response['identity']) ? $response['identity'] : null);`
`94`	`88`	`}`
`95`		`-`
	`89`	`+`
`96`	`90`	`public function update($user_id, $user)`
`97`	`91`	`{`
`98`	`92`	`$response = $this->_call('users/' . $user_id . '.json', null, 'PUT', $user, true);`
`99`	`93`	`return (isset($response['user']) ? $response['user'] : null);`
`100`	`94`	`}`
`101`		`-`
	`95`	`+`
`102`	`96`	`public function create($user)`
`103`	`97`	`{`
`104`	`98`	`$response = $this->_call('users.json', null, 'POST', $user, true);`
`105`	`99`	`return (isset($response['user']) ? $response['user'] : null);`
`106`	`100`	`}`
`107`		`-`
	`101`	`+`
`108`	`102`	`public function createUserField($field)`
`109`	`103`	`{`
`110`	`104`	`$response = $this->_call('user_fields.json', null, 'POST', $field, true);`
`111`	`105`
`112`	`106`	`if(!isset($response['user_field'])) {`
`113`	`107`	`throw new Exception('No User Field specified.');`
`114`	`108`	`}`
`115`		`-`
	`109`	`+`
`116`	`110`	`return $response['user_field'];`
`117`	`111`	`}`
`118`	`112`
`119`	`113`	`/**`
`120`	`114`	`* Fetch all user fields`
`121`		`- *`
	`115`	`+ *`
`122`	`116`	`* @return array $userFields`
`123`	`117`	`*/`
`124`	`118`	`public function getUserFields()`
`@@ -129,7 +123,7 @@ public function getUserFields()`
`129`	`123`	`$userFields = array_merge($userFields, $response['user_fields']);`
`130`	`124`	`$page = is_null($response['next_page']) ? 0 : $page + 1;`
`131`	`125`	`}`
`132`		`-`
	`126`	`+`
`133`	`127`	`return $userFields;`
`134`	`128`	`}`
`135`	`129`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ public function syncronize(){`
`14`	`14`	`Mage::log('Synchronization started', null, 'zendesk.log');`
`15`	`15`	`try {`
`16`	`16`	`Mage::log('Synchronizing customer with id '.$customer->getId(), null, 'zendesk.log');`
`17`		`- $customerData = Mage::helper('zendesk/sync')->getCustomerData($customer);`
	`17`	`+ $customerData = Mage::helper('zendesk/sync')->syncCustomer($customer);`
`18`	`18`	`$zendeskId = $customerData['id'];`
`19`	`19`	`$customer->setZendeskId($zendeskId);`
`20`	`20`	`$customer->save();`
`@@ -25,8 +25,6 @@ public function syncronize(){`
`25`	`25`	`return;`
`26`	`26`	`}`
`27`	`27`	`Mage::log('Synchronization completed successfully', null, 'zendesk.log');`
`28`		`-`
`29`		`-`
`30`	`28`	`}`
`31`	`29`	`}`
`32`	`30`	`}`