Merge remote-tracking branch 'origin/MC-37603-2.4.2' into 2.4-develop

Prabhu Ram · Prabhu Ram · commit 677aad16d788 · 2020-09-30T12:11:09.000-05:00
diff --git a/app/code/Magento/Wishlist/Model/Wishlist/RemoveProductsFromWishlist.php b/app/code/Magento/Wishlist/Model/Wishlist/RemoveProductsFromWishlist.php
@@ -7,6 +7,7 @@
 
 namespace Magento\Wishlist\Model\Wishlist;
 
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Wishlist\Model\Item as WishlistItem;
 use Magento\Wishlist\Model\ItemFactory as WishlistItemFactory;
 use Magento\Wishlist\Model\ResourceModel\Item as WishlistItemResource;
@@ -63,7 +64,7 @@ public function __construct(
     public function execute(Wishlist $wishlist, array $wishlistItemsIds): WishlistOutput
     {
         foreach ($wishlistItemsIds as $wishlistItemId) {
-            $this->removeItemFromWishlist((int) $wishlistItemId);
+            $this->removeItemFromWishlist((int) $wishlistItemId, $wishlist);
         }
 
         return $this->prepareOutput($wishlist);
@@ -73,12 +74,22 @@ public function execute(Wishlist $wishlist, array $wishlistItemsIds): WishlistOu
      * Remove product item from wishlist
      *
      * @param int $wishlistItemId
+     * @param Wishlist $wishlist
      *
      * @return void
      */
-    private function removeItemFromWishlist(int $wishlistItemId): void
+    private function removeItemFromWishlist(int $wishlistItemId, Wishlist $wishlist): void
     {
         try {
+            if ($wishlist->getItem($wishlistItemId) == null) {
+                throw new LocalizedException(
+                    __(
+                        'The wishlist item with ID "%id" does not belong to the wishlist',
+                        ['id' => $wishlistItemId]
+                    )
+                );
+            }
+            $wishlist->getItemCollection()->clear();
             /** @var WishlistItem $wishlistItem */
             $wishlistItem = $this->wishlistItemFactory->create();
             $this->wishlistItemResource->load($wishlistItem, $wishlistItemId);
@@ -90,6 +101,8 @@ private function removeItemFromWishlist(int $wishlistItemId): void
             }
 
             $this->wishlistItemResource->delete($wishlistItem);
+        } catch (LocalizedException $exception) {
+            $this->addError($exception->getMessage());
         } catch (\Exception $e) {
             $this->addError(
                 __(
diff --git a/app/code/Magento/Wishlist/Model/Wishlist/UpdateProductsInWishlist.php b/app/code/Magento/Wishlist/Model/Wishlist/UpdateProductsInWishlist.php
@@ -90,6 +90,15 @@ public function execute(Wishlist $wishlist, array $wishlistItems): WishlistOutpu
     private function updateItemInWishlist(Wishlist $wishlist, WishlistItemData $wishlistItemData): void
     {
         try {
+            if ($wishlist->getItem($wishlistItemData->getId()) == null) {
+                throw new LocalizedException(
+                    __(
+                        'The wishlist item with ID "%id" does not belong to the wishlist',
+                        ['id' => $wishlistItemData->getId()]
+                    )
+                );
+            }
+            $wishlist->getItemCollection()->clear();
             $options = $this->buyRequestBuilder->build($wishlistItemData);
             /** @var WishlistItem $wishlistItem */
             $wishlistItem = $this->wishlistItemFactory->create();
diff --git a/dev/tests/api-functional/testsuite/Magento/GraphQl/Wishlist/DeleteProductsFromWishlistTest.php b/dev/tests/api-functional/testsuite/Magento/GraphQl/Wishlist/DeleteProductsFromWishlistTest.php
@@ -55,6 +55,34 @@ public function testDeleteWishlistItemFromWishlist(): void
         $this->assertEmpty($wishlistResponse['items_v2']);
     }
 
+    /**
+     * Test deleting the wishlist item of another customer
+     *
+     * @magentoConfigFixture default_store wishlist/general/active 1
+     * @magentoApiDataFixture Magento/Wishlist/_files/two_wishlists_for_two_diff_customers.php
+     */
+    public function testUnauthorizedWishlistItemDelete()
+    {
+        $wishlist = $this->getWishlist();
+        $wishlistItem = $wishlist['customer']['wishlist']['items_v2'][0];
+        $wishlist2 = $this->getWishlist('customer_two@example.com');
+        $wishlist2Id = $wishlist2['customer']['wishlist']['id'];
+        $query = $this->getQuery((int) $wishlist2Id, (int) $wishlistItem['id']);
+        $response = $this->graphQlMutation(
+            $query,
+            [],
+            '',
+            $this->getHeaderMap('customer_two@example.com')
+        );
+        self::assertEquals(1, $response['removeProductsFromWishlist']['wishlist']['items_count']);
+        self::assertNotEmpty($response['removeProductsFromWishlist']['wishlist']['items_v2'], 'empty wish list items');
+        self::assertCount(1, $response['removeProductsFromWishlist']['wishlist']['items_v2']);
+        self::assertEquals(
+            'The wishlist item with ID "'.$wishlistItem['id'].'" does not belong to the wishlist',
+            $response['removeProductsFromWishlist']['user_errors'][0]['message']
+        );
+    }
+
     /**
      * Authentication header map
      *
@@ -116,9 +144,9 @@ private function getQuery(
      *
      * @throws Exception
      */
-    public function getWishlist(): array
+    public function getWishlist(string $username = 'customer@example.com'): array
     {
-        return $this->graphQlQuery($this->getCustomerWishlistQuery(), [], '', $this->getHeaderMap());
+        return $this->graphQlQuery($this->getCustomerWishlistQuery(), [], '', $this->getHeaderMap($username));
     }
 
     /**
diff --git a/dev/tests/api-functional/testsuite/Magento/GraphQl/Wishlist/UpdateProductsFromWishlistTest.php b/dev/tests/api-functional/testsuite/Magento/GraphQl/Wishlist/UpdateProductsFromWishlistTest.php
@@ -57,6 +57,37 @@ public function testUpdateSimpleProductFromWishlist(): void
         $this->assertEquals($description, $wishlistResponse['items_v2'][0]['description']);
     }
 
+    /**
+     * Test updating the wishlist item of another customer
+     *
+     * @magentoConfigFixture default_store wishlist/general/active 1
+     * @magentoApiDataFixture Magento/Customer/_files/two_customers.php
+     * @magentoApiDataFixture Magento/Wishlist/_files/two_wishlists_for_two_diff_customers.php
+     */
+    public function testUnauthorizedWishlistItemUpdate()
+    {
+        $wishlist = $this->getWishlist();
+        $wishlistItem = $wishlist['customer']['wishlist']['items_v2'][0];
+        $wishlist2 = $this->getWishlist('customer_two@example.com');
+        $wishlist2Id = $wishlist2['customer']['wishlist']['id'];
+        $qty = 2;
+        $description = 'New Description';
+        $updateWishlistQuery = $this->getQuery((int) $wishlist2Id, (int) $wishlistItem['id'], $qty, $description);
+        $response = $this->graphQlMutation(
+            $updateWishlistQuery,
+            [],
+            '',
+            $this->getHeaderMap('customer_two@example.com')
+        );
+        self::assertEquals(1, $response['updateProductsInWishlist']['wishlist']['items_count']);
+        self::assertNotEmpty($response['updateProductsInWishlist']['wishlist']['items_v2'], 'empty wish list items');
+        self::assertCount(1, $response['updateProductsInWishlist']['wishlist']['items_v2']);
+        self::assertEquals(
+            'The wishlist item with ID "'.$wishlistItem['id'].'" does not belong to the wishlist',
+            $response['updateProductsInWishlist']['user_errors'][0]['message']
+        );
+    }
+
     /**
      * Authentication header map
      *
@@ -124,13 +155,14 @@ private function getQuery(
     /**
      * Get wishlist result
      *
+     * @param string $username
      * @return array
      *
      * @throws Exception
      */
-    public function getWishlist(): array
+    public function getWishlist(string $username = 'customer@example.com'): array
     {
-        return $this->graphQlQuery($this->getCustomerWishlistQuery(), [], '', $this->getHeaderMap());
+        return $this->graphQlQuery($this->getCustomerWishlistQuery(), [], '', $this->getHeaderMap($username));
     }
 
     /**
