Merge pull request #8252 from magento-l3/APR222023_PR_sarmistha

[L3 Kings] Bugfix delivery

Author: dhorytskyi

app/code/Magento/ConfigurableProduct/view/frontend/web/js/configurable.js

@@ -279,7 +279,7 @@ define([
         _configureElement: function (element) {
             this.simpleProduct = this._getSimpleProductId(element);
 
-            if (element.value) {
+            if (element.value && element.config) {
                 this.options.state[element.config.id] = element.value;
 
                 if (element.nextSetting) {
@@ -298,9 +298,11 @@ define([
             }
 
             this._reloadPrice();
-            this._displayRegularPriceBlock(this.simpleProduct);
-            this._displayTierPriceBlock(this.simpleProduct);
-            this._displayNormalPriceLabel();
+            if (element.config) {
+                this._displayRegularPriceBlock(this.simpleProduct);
+                this._displayTierPriceBlock(this.simpleProduct);
+                this._displayNormalPriceLabel();
+            }
             this._changeProductImage();
         },
 
@@ -439,8 +441,10 @@ define([
                 filteredSalableProducts;
 
             this._clearSelect(element);
-            element.options[0] = new Option('', '');
-            element.options[0].innerHTML = this.options.spConfig.chooseText;
+            if (element.options) {
+                element.options[0] = new Option('', '');
+                element.options[0].innerHTML = this.options.spConfig.chooseText;
+            }
             prevConfig = false;
 
             if (element.prevSetting) {
@@ -552,8 +556,10 @@ define([
         _clearSelect: function (element) {
             var i;
 
-            for (i = element.options.length - 1; i >= 0; i--) {
-                element.remove(i);
+            if (element.options) {
+                for (i = element.options.length - 1; i >= 0; i--) {
+                    element.remove(i);
+                }
             }
         },
 
@@ -585,26 +591,31 @@ define([
         _getPrices: function () {
             var prices = {},
                 elements = _.toArray(this.options.settings),
-                allowedProduct;
+                allowedProduct,
+                selected,
+                config,
+                priceValue;
 
             _.each(elements, function (element) {
-                var selected = element.options[element.selectedIndex],
-                    config = selected && selected.config,
+                if (element.options) {
+                    selected = element.options[element.selectedIndex];
+                    config = selected && selected.config;
                     priceValue = this._calculatePrice({});
 
-                if (config && config.allowedProducts.length === 1) {
-                    priceValue = this._calculatePrice(config);
-                } else if (element.value) {
-                    allowedProduct = this._getAllowedProductWithMinPrice(config.allowedProducts);
-                    priceValue = this._calculatePrice({
-                        'allowedProducts': [
-                            allowedProduct
-                        ]
-                    });
-                }
+                    if (config && config.allowedProducts.length === 1) {
+                        priceValue = this._calculatePrice(config);
+                    } else if (element.value) {
+                        allowedProduct = this._getAllowedProductWithMinPrice(config.allowedProducts);
+                        priceValue = this._calculatePrice({
+                            'allowedProducts': [
+                                allowedProduct
+                            ]
+                        });
+                    }
 
-                if (!_.isEmpty(priceValue)) {
-                    prices.prices = priceValue;
+                    if (!_.isEmpty(priceValue)) {
+                        prices.prices = priceValue;
+                    }
                 }
             }, this);
 
@@ -664,19 +675,23 @@ define([
         _getSimpleProductId: function (element) {
             // TODO: Rewrite algorithm. It should return ID of
             //        simple product based on selected options.
-            var allOptions = element.config.options,
-                value = element.value,
+            var allOptions,
+                value,
                 config;
 
-            config = _.filter(allOptions, function (option) {
-                return option.id === value;
-            });
-            config = _.first(config);
+            if (element.config) {
+                allOptions = element.config.options;
+                value = element.value;
 
-            return _.isEmpty(config) ?
-                undefined :
-                _.first(config.allowedProducts);
+                config = _.filter(allOptions, function (option) {
+                    return option.id === value;
+                });
+                config = _.first(config);
 
+                return _.isEmpty(config) ?
+                    undefined :
+                    _.first(config.allowedProducts);
+            }
         },
 
         /**

app/code/Magento/Customer/Model/AccountManagement.php

@@ -877,11 +877,6 @@ public function getConfirmationStatus($customerId)
      */
     public function createAccount(CustomerInterface $customer, $password = null, $redirectUrl = '')
     {
-        $groupId = $customer->getGroupId();
-        if (isset($groupId) && !$this->authorization->isAllowed(self::ADMIN_RESOURCE)) {
-            $customer->setGroupId(null);
-        }
-
         if ($password !== null) {
             $this->checkPasswordStrength($password);
             $customerEmail = $customer->getEmail();

app/code/Magento/Customer/Model/AccountManagementApi.php

@@ -6,26 +6,158 @@
 
 namespace Magento\Customer\Model;
 
+use Magento\Customer\Api\AddressRepositoryInterface;
+use Magento\Customer\Api\CustomerMetadataInterface;
+use Magento\Customer\Api\CustomerRepositoryInterface;
 use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Customer\Api\Data\ValidationResultsInterfaceFactory;
+use Magento\Customer\Helper\View as CustomerViewHelper;
+use Magento\Customer\Model\Config\Share as ConfigShare;
+use Magento\Customer\Model\Customer as CustomerModel;
+use Magento\Customer\Model\Metadata\Validator;
+use Magento\Framework\Api\ExtensibleDataObjectConverter;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\DataObjectFactory as ObjectFactory;
+use Magento\Framework\Encryption\EncryptorInterface as Encryptor;
+use Magento\Framework\Event\ManagerInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\Framework\Mail\Template\TransportBuilder;
+use Magento\Framework\Math\Random;
+use Magento\Framework\Reflection\DataObjectProcessor;
+use Magento\Framework\Registry;
+use Magento\Framework\Stdlib\DateTime;
+use Magento\Framework\Stdlib\StringUtils as StringHelper;
+use Magento\Store\Model\StoreManagerInterface;
+use Psr\Log\LoggerInterface as PsrLogger;
 
 /**
  * Account Management service implementation for external API access.
+ *
  * Handle various customer account actions.
  *
  * @SuppressWarnings(PHPMD.CookieAndSessionMisuse)
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class AccountManagementApi extends AccountManagement
 {
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     * @param CustomerFactory $customerFactory
+     * @param ManagerInterface $eventManager
+     * @param StoreManagerInterface $storeManager
+     * @param Random $mathRandom
+     * @param Validator $validator
+     * @param ValidationResultsInterfaceFactory $validationResultsDataFactory
+     * @param AddressRepositoryInterface $addressRepository
+     * @param CustomerMetadataInterface $customerMetadataService
+     * @param CustomerRegistry $customerRegistry
+     * @param PsrLogger $logger
+     * @param Encryptor $encryptor
+     * @param ConfigShare $configShare
+     * @param StringHelper $stringHelper
+     * @param CustomerRepositoryInterface $customerRepository
+     * @param ScopeConfigInterface $scopeConfig
+     * @param TransportBuilder $transportBuilder
+     * @param DataObjectProcessor $dataProcessor
+     * @param Registry $registry
+     * @param CustomerViewHelper $customerViewHelper
+     * @param DateTime $dateTime
+     * @param CustomerModel $customerModel
+     * @param ObjectFactory $objectFactory
+     * @param ExtensibleDataObjectConverter $extensibleDataObjectConverter
+     * @param AuthorizationInterface $authorization
+     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
+     */
+    public function __construct(
+        CustomerFactory $customerFactory,
+        ManagerInterface $eventManager,
+        StoreManagerInterface $storeManager,
+        Random $mathRandom,
+        Validator $validator,
+        ValidationResultsInterfaceFactory $validationResultsDataFactory,
+        AddressRepositoryInterface $addressRepository,
+        CustomerMetadataInterface $customerMetadataService,
+        CustomerRegistry $customerRegistry,
+        PsrLogger $logger,
+        Encryptor $encryptor,
+        ConfigShare $configShare,
+        StringHelper $stringHelper,
+        CustomerRepositoryInterface $customerRepository,
+        ScopeConfigInterface $scopeConfig,
+        TransportBuilder $transportBuilder,
+        DataObjectProcessor $dataProcessor,
+        Registry $registry,
+        CustomerViewHelper $customerViewHelper,
+        DateTime $dateTime,
+        CustomerModel $customerModel,
+        ObjectFactory $objectFactory,
+        ExtensibleDataObjectConverter $extensibleDataObjectConverter,
+        AuthorizationInterface $authorization
+    ) {
+        $this->authorization = $authorization;
+        parent::__construct(
+            $customerFactory,
+            $eventManager,
+            $storeManager,
+            $mathRandom,
+            $validator,
+            $validationResultsDataFactory,
+            $addressRepository,
+            $customerMetadataService,
+            $customerRegistry,
+            $logger,
+            $encryptor,
+            $configShare,
+            $stringHelper,
+            $customerRepository,
+            $scopeConfig,
+            $transportBuilder,
+            $dataProcessor,
+            $registry,
+            $customerViewHelper,
+            $dateTime,
+            $customerModel,
+            $objectFactory,
+            $extensibleDataObjectConverter
+        );
+    }
+
     /**
      * @inheritDoc
      *
      * Override createAccount method to unset confirmation attribute for security purposes.
      */
     public function createAccount(CustomerInterface $customer, $password = null, $redirectUrl = '')
     {
+        $this->validateCustomerRequest($customer);
         $customer = parent::createAccount($customer, $password, $redirectUrl);
         $customer->setConfirmation(null);
 
         return $customer;
     }
+
+    /**
+     * Validate anonymous request
+     *
+     * @param CustomerInterface $customer
+     * @return void
+     * @throws AuthorizationException
+     */
+    private function validateCustomerRequest(CustomerInterface $customer): void
+    {
+        $groupId = $customer->getGroupId();
+        if (isset($groupId) &&
+            !$this->authorization->isAllowed(self::ADMIN_RESOURCE)
+        ) {
+            $params = ['resources' => self::ADMIN_RESOURCE];
+            throw new AuthorizationException(
+                __("The consumer isn't authorized to access %resources.", $params)
+            );
+        }
+    }
 }

app/code/Magento/Customer/Plugin/AsyncRequestCustomerGroupAuthorization.php

@@ -0,0 +1,78 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Customer\Plugin;
+
+use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\AuthorizationInterface;
+use Magento\Framework\Exception\AuthorizationException;
+use Magento\AsynchronousOperations\Model\MassSchedule;
+
+/**
+ * Plugin to validate anonymous request for asynchronous operations containing group id.
+ */
+class AsyncRequestCustomerGroupAuthorization
+{
+    /**
+     * Authorization level of a basic admin session
+     *
+     * @see _isAllowed()
+     */
+    public const ADMIN_RESOURCE = 'Magento_Customer::manage';
+
+    /**
+     * @var AuthorizationInterface
+     */
+    private $authorization;
+
+    /**
+     *
+     * @param AuthorizationInterface $authorization
+     */
+    public function __construct(
+        AuthorizationInterface $authorization
+    ) {
+        $this->authorization = $authorization;
+    }
+
+    /**
+     * Validate groupId for anonymous request
+     *
+     * @param MassSchedule $massSchedule
+     * @param string $topic
+     * @param array $entitiesArray
+     * @param string|null $groupId
+     * @param string|null $userId
+     * @return null
+     * @throws AuthorizationException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforePublishMass(
+        MassSchedule $massSchedule,
+        string       $topic,
+        array        $entitiesArray,
+        string       $groupId = null,
+        string       $userId = null
+    ) {
+        foreach ($entitiesArray as $entityParams) {
+            foreach ($entityParams as $entity) {
+                if ($entity instanceof CustomerInterface) {
+                    $groupId = $entity->getGroupId();
+                    if (isset($groupId) && !$this->authorization->isAllowed(self::ADMIN_RESOURCE)) {
+                        $params = ['resources' => self::ADMIN_RESOURCE];
+                        throw new AuthorizationException(
+                            __("The consumer isn't authorized to access %resources.", $params)
+                        );
+                    }
+                }
+            }
+        }
+        return null;
+    }
+}