Merge branch 'ACP2E-3215' of https://github.com/adobe-commerce-tier-4/magento2ce into PR-10-01-2024

Author: chittima

app/code/Magento/CustomerGraphQl/Model/Context/AddUserInfoToContext.php

@@ -9,11 +9,13 @@
 
 use Magento\Authorization\Model\UserContextInterface;
 use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Customer\Model\Config\Share;
 use Magento\Customer\Model\ResourceModel\CustomerRepository;
 use Magento\Customer\Model\Session;
 use Magento\Framework\ObjectManager\ResetAfterRequestInterface;
 use Magento\GraphQl\Model\Query\ContextParametersInterface;
 use Magento\GraphQl\Model\Query\UserContextParametersProcessorInterface;
+use Magento\Store\Model\StoreManagerInterface;
 
 /**
  * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
@@ -40,20 +42,35 @@ class AddUserInfoToContext implements UserContextParametersProcessorInterface, R
      */
     private $customerRepository;
 
+    /**
+     * @var Share
+     */
+    private $configShare;
+
+    /**
+     * @var StoreManagerInterface
+     */
+    private $storeManager;
     /**
      * @param UserContextInterface $userContext
      * @param Session $session
      * @param CustomerRepository $customerRepository
+     * @param Share $configShare
+     * @param StoreManagerInterface $storeManager
      */
     public function __construct(
         UserContextInterface $userContext,
         Session $session,
-        CustomerRepository $customerRepository
+        CustomerRepository $customerRepository,
+        Share $configShare,
+        StoreManagerInterface $storeManager
     ) {
         $this->userContext = $userContext;
         $this->userContextFromConstructor = $userContext;
         $this->session = $session;
         $this->customerRepository = $customerRepository;
+        $this->configShare = $configShare;
+        $this->storeManager = $storeManager;
     }
 
     /**
@@ -119,8 +136,14 @@ public function getLoggedInCustomerData(): ?CustomerInterface
      */
     private function isCustomer(?int $customerId, ?int $customerType): bool
     {
-        return !empty($customerId)
+        $result = !empty($customerId)
             && !empty($customerType)
             && $customerType === UserContextInterface::USER_TYPE_CUSTOMER;
+
+        if ($result && $this->configShare->isWebsiteScope()) {
+            $customer = $this->customerRepository->getById($customerId);
+            return (int)$customer->getWebsiteId() === (int)$this->storeManager->getStore()->getWebsiteId();
+        }
+        return $result;
     }
 }

dev/tests/api-functional/testsuite/Magento/GraphQl/Quote/Customer/GetCustomerCartTest.php

@@ -7,9 +7,18 @@
 
 namespace Magento\GraphQl\Quote\Customer;
 
-use Exception;
+use Magento\Catalog\Helper\Data;
+use Magento\Catalog\Test\Fixture\Product as ProductFixture;
+use Magento\Customer\Test\Fixture\Customer;
 use Magento\GraphQl\Quote\GetMaskedQuoteIdByReservedOrderId;
 use Magento\Integration\Api\CustomerTokenServiceInterface;
+use Magento\Store\Test\Fixture\Group as StoreGroupFixture;
+use Magento\Store\Test\Fixture\Store as StoreFixture;
+use Magento\Store\Test\Fixture\Website as WebsiteFixture;
+use Magento\TestFramework\Fixture\Config;
+use Magento\TestFramework\Fixture\DataFixture;
+use Magento\TestFramework\Fixture\DataFixtureStorage;
+use Magento\TestFramework\Fixture\DataFixtureStorageManager;
 use Magento\TestFramework\Helper\Bootstrap;
 use Magento\Quote\Model\ResourceModel\Quote\Collection;
 use Magento\Framework\ObjectManagerInterface;
@@ -35,11 +44,17 @@ class GetCustomerCartTest extends GraphQlAbstract
      */
     private $objectManager;
 
+    /**
+     * @var DataFixtureStorage;
+     */
+    private $fixtures;
+
     protected function setUp(): void
     {
         $this->objectManager = Bootstrap::getObjectManager();
         $this->getMaskedQuoteIdByReservedOrderId = $this->objectManager->get(GetMaskedQuoteIdByReservedOrderId::class);
         $this->customerTokenService = $this->objectManager->get(CustomerTokenServiceInterface::class);
+        $this->fixtures = $this->objectManager->get(DataFixtureStorageManager::class)->getStorage();
     }
 
     /**
@@ -133,6 +148,41 @@ public function testGetCustomerCartWithNoCustomerToken()
         $this->graphQlQuery($customerCartQuery);
     }
 
+    /**
+     * Test graphql customer cart should expect an exception when customer doesn't belong to given website
+     */
+    #[
+        DataFixture(WebsiteFixture::class, as: 'website2'),
+        DataFixture(StoreGroupFixture::class, ['website_id' => '$website2.id$'], 'store_group2'),
+        DataFixture(StoreFixture::class, ['store_group_id' => '$store_group2.id$'], 'store2'),
+        DataFixture(ProductFixture::class, ['website_ids' => [1, '$website2.id$' ]], as: 'product'),
+        DataFixture(
+            Customer::class,
+            [
+                'store_id' => '$store2.id$',
+                'website_id' => '$website2.id$',
+                'addresses' => [[]]
+            ],
+            as: 'customer'
+        )
+    ]
+    public function testGetCustomerCartCustomerNotBelongingToWebsite()
+    {
+        $this->expectException(\Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException::class);
+        $this->expectExceptionMessage('The request is allowed for logged in customer');
+
+        $customer = $this->fixtures->get('customer');
+        $customStore = $this->fixtures->get('store2');
+
+        $generateTokenQuery = $this->generateCustomerToken($customer->getEmail(), 'password');
+
+        $tokenResponse = $this->graphQlMutation($generateTokenQuery, [], '', ['Store' => $customStore->getCode()]);
+        $token = $tokenResponse['generateCustomerToken']['token'];
+
+        $customerCartQuery = $this->getCustomerCartQuery();
+        $this->graphQlMutation($customerCartQuery, [], '', ['Authorization' => 'Bearer ' . $token]);
+    }
+
     /**
      * Query for customer cart after customer token is revoked
      *
@@ -262,4 +312,25 @@ private function getHeaderMap(string $username = 'customer@example.com', string
         $headerMap = ['Authorization' => 'Bearer ' . $customerToken];
         return $headerMap;
     }
+
+    /**
+     * Get customer login token query
+     *
+     * @param string $email
+     * @param string $password
+     * @return string
+     */
+    private function generateCustomerToken(string $email, string $password) : string
+    {
+        return <<<MUTATION
+mutation {
+    generateCustomerToken(
+        email: "{$email}"
+        password: "{$password}"
+    ) {
+        token
+    }
+}
+MUTATION;
+    }
 }

dev/tests/api-functional/testsuite/Magento/GraphQl/Sales/CustomerOrdersTest.php

@@ -143,7 +143,7 @@ public function testGetCustomerOrders()
             $query,
             [],
             '',
-            $this->getCustomerHeaders($customerToken, null)
+            $this->getCustomerHeaders($customerToken, $store2->getCode())
         );
 
         $this->assertEquals(2, count($response['customer']['orders']['items']));
@@ -153,10 +153,59 @@ public function testGetCustomerOrders()
             $query,
             [],
             '',
-            $this->getCustomerHeaders($customerToken, null)
+            $this->getCustomerHeaders($customerToken, $store2->getCode())
+        );
+
+        $this->assertEquals(1, count($response['customer']['orders']['items']));
+    }
+
+    /**
+     * Test graphql customer orders when customer doesn't have access to custom website in Multi-Store setup.
+
+     * @dataProvider dataProviderScope
+     */
+    #[
+        DataFixture(WebsiteFixture::class, as: 'website2'),
+        DataFixture(StoreGroupFixture::class, ['website_id' => '$website2.id$'], 'store_group2'),
+        DataFixture(StoreFixture::class, ['store_group_id' => '$store_group2.id$'], 'store2'),
+        DataFixture(StoreFixture::class, ['store_group_id' => '$store_group2.id$'], 'store3'),
+        DataFixture(ProductFixture::class, ['website_ids' => [1, '$website2.id$' ]], as: 'product'),
+        DataFixture(
+            Customer::class,
+            [
+                'store_id' => '$store2.id$',
+                'website_id' => '$website2.id$',
+                'addresses' => [[]]
+            ],
+            as: 'customer'
+        )
+    ]
+    public function testGetCustomerOrdersCustomerHasNoAccess($scope)
+    {
+        $store2 = $this->fixtures->get('store2');
+        $customer = $this->fixtures->get('customer');
+        $currentEmail = $customer->getEmail();
+        $currentPassword = 'password';
+
+        $generateToken = $this->generateCustomerToken($currentEmail, $currentPassword);
+        $tokenResponse = $this->graphQlMutationWithResponseHeaders(
+            $generateToken,
+            [],
+            '',
+            ['Store' => $store2->getCode()]
         );
+        $customerToken = $tokenResponse['body']['generateCustomerToken']['token'];
 
-        $this->assertEquals(0, count($response['customer']['orders']['items']));
+        $query = $this->getCustomerOrdersQuery($scope);
+
+        $this->expectException(\Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException::class);
+        $this->expectExceptionMessage('The current customer isn\'t authorized.');
+        $this->graphQlQuery(
+            $query,
+            [],
+            '',
+            $this->getCustomerHeaders($customerToken, null)
+        );
     }
 
     /**
@@ -225,4 +274,19 @@ private function generateCustomerToken(string $email, string $password) : string
 }
 MUTATION;
     }
+
+    /**
+     * Scopes Data provider
+     *
+     * @return array
+     */
+    public function dataProviderScope()
+    {
+        return [
+            'store scope' => ['STORE'],
+            'website scope' => ['WEBSITE'],
+            'global scope' => ['GLOBAL'],
+            'no scope' => [null],
+        ];
+    }
 }

dev/tests/api-functional/testsuite/Magento/GraphQl/Sales/DateOfFirstOrderResolverTest.php

@@ -121,12 +121,18 @@ public function testGetCustomerOrdersGlobalScope()
         self::assertEquals(1, count($response['customer']['orders']['items']));
         self::assertArrayHasKey('date_of_first_order', $response['customer']['orders']);
 
-        $customerAuthHeaders = $this->getCustomerHeaders($token, null);
+        $customerAuthHeaders = $this->getCustomerHeaders($token, $store2->getCode());
         $query = $this->getCustomerOrdersQueryWithFilters('GLOBAL');
         $response = $this->graphQlQuery($query, [], '', $customerAuthHeaders);
         self::assertNotEmpty($response['customer']['orders']['items']);
         self::assertEquals(2, count($response['customer']['orders']['items']));
         self::assertArrayHasKey('date_of_first_order', $response['customer']['orders']);
+
+        $customerAuthHeaders = $this->getCustomerHeaders($token, null);
+        $query = $this->getCustomerOrdersQueryWithFilters('GLOBAL');
+        $this->expectException(\Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException::class);
+        $this->expectExceptionMessage('The current customer isn\'t authorized.');
+        $this->graphQlQuery($query, [], '', $customerAuthHeaders);
     }
 
     /**
@@ -175,13 +181,6 @@ public function testGetCustomerOrdersStoreScope()
         );
         $token = $tokenResponse['body']['generateCustomerToken']['token'];
 
-        $customerAuthHeaders = $this->getCustomerHeaders($token, null);
-        $query = $this->getCustomerOrdersQueryWithFilters('STORE', '+1 years');
-        $response = $this->graphQlQuery($query, [], '', $customerAuthHeaders);
-        self::assertEmpty($response['customer']['orders']['items']);
-        self::assertEquals(0, count($response['customer']['orders']['items']));
-        self::assertNull($response['customer']['orders']['date_of_first_order']);
-
         $customerAuthHeaders = $this->getCustomerHeaders($token, $store2->getCode());
         $query = $this->getCustomerOrdersQueryWithFilters('STORE', null);
         $response = $this->graphQlQuery($query, [], '', $customerAuthHeaders);
@@ -192,6 +191,12 @@ public function testGetCustomerOrdersStoreScope()
         $response = $this->graphQlQuery($query, [], '', $customerAuthHeaders);
         self::assertEquals(2, count($response['customer']['orders']['items']));
         self::assertArrayHasKey('date_of_first_order', $response['customer']['orders']);
+
+        $customerAuthHeaders = $this->getCustomerHeaders($token, null);
+        $query = $this->getCustomerOrdersQueryWithFilters('STORE', '+1 years');
+        $this->expectException(\Magento\TestFramework\TestCase\GraphQl\ResponseContainsErrorsException::class);
+        $this->expectExceptionMessage('The current customer isn\'t authorized.');
+        $this->graphQlQuery($query, [], '', $customerAuthHeaders);
     }
 
     /**