From 959f4be75e9b3b79c5c58fd701f9fa7db6c156a7 Mon Sep 17 00:00:00 2001 From: Sviatoslav Mankivskyi Date: Thu, 19 Mar 2015 17:11:59 +0200 Subject: [PATCH] MAGETWO-35333: [GITHUB] Serious security issue in Customer Address edit section #1107 --- .../Magento/Customer/Block/Address/Edit.php | 20 +- .../Test/Unit/Block/Address/EditTest.php | 449 ++++++++++++++++++ 2 files changed, 458 insertions(+), 11 deletions(-) create mode 100644 app/code/Magento/Customer/Test/Unit/Block/Address/EditTest.php diff --git a/app/code/Magento/Customer/Block/Address/Edit.php b/app/code/Magento/Customer/Block/Address/Edit.php index 2d4ff95fae9dc..ef7e323cf59a8 100644 --- a/app/code/Magento/Customer/Block/Address/Edit.php +++ b/app/code/Magento/Customer/Block/Address/Edit.php @@ -106,6 +106,9 @@ protected function _prepareLayout() if ($addressId = $this->getRequest()->getParam('id')) { try { $this->_address = $this->_addressRepository->getById($addressId); + if ($this->_address->getCustomerId() != $this->_customerSession->getCustomerId()) { + $this->_address = null; + } } catch (NoSuchEntityException $e) { $this->_address = null; } @@ -113,17 +116,12 @@ protected function _prepareLayout() if ($this->_address === null || !$this->_address->getId()) { $this->_address = $this->addressDataFactory->create(); - $this->_address->setPrefix( - $this->getCustomer()->getPrefix() - )->setFirstname( - $this->getCustomer()->getFirstname() - )->setMiddlename( - $this->getCustomer()->getMiddlename() - )->setLastname( - $this->getCustomer()->getLastname() - )->setSuffix( - $this->getCustomer()->getSuffix() - ); + $customer = $this->getCustomer(); + $this->_address->setPrefix($customer->getPrefix()); + $this->_address->setFirstname($customer->getFirstname()); + $this->_address->setMiddlename($customer->getMiddlename()); + $this->_address->setLastname($customer->getLastname()); + $this->_address->setSuffix($customer->getSuffix()); } $this->pageConfig->getTitle()->set($this->getTitle()); diff --git a/app/code/Magento/Customer/Test/Unit/Block/Address/EditTest.php b/app/code/Magento/Customer/Test/Unit/Block/Address/EditTest.php new file mode 100644 index 0000000000000..bb75918f3b393 --- /dev/null +++ b/app/code/Magento/Customer/Test/Unit/Block/Address/EditTest.php @@ -0,0 +1,449 @@ +objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this); + + $this->requestMock = $this->getMockBuilder('Magento\Framework\App\RequestInterface') + ->getMock(); + + $this->addressRepositoryMock = $this->getMockBuilder('Magento\Customer\Api\AddressRepositoryInterface') + ->getMock(); + + $this->customerSessionMock = $this->getMockBuilder('Magento\Customer\Model\Session') + ->disableOriginalConstructor() + ->setMethods(['getAddressFormData', 'getCustomerId']) + ->getMock(); + + $this->pageConfigMock = $this->getMockBuilder('Magento\Framework\View\Page\Config') + ->disableOriginalConstructor() + ->getMock(); + + $this->dataObjectHelperMock = $this->getMockBuilder('Magento\Framework\Api\DataObjectHelper') + ->disableOriginalConstructor() + ->getMock(); + + $this->addressDataFactoryMock = $this->getMockBuilder('Magento\Customer\Api\Data\AddressInterfaceFactory') + ->disableOriginalConstructor() + ->getMock(); + + $this->currentCustomerMock = $this->getMockBuilder('Magento\Customer\Helper\Session\CurrentCustomer') + ->disableOriginalConstructor() + ->getMock(); + + $this->model = $this->objectManager->getObject( + 'Magento\Customer\Block\Address\Edit', + [ + 'request' => $this->requestMock, + 'addressRepository' => $this->addressRepositoryMock, + 'customerSession' => $this->customerSessionMock, + 'pageConfig' => $this->pageConfigMock, + 'dataObjectHelper' => $this->dataObjectHelperMock, + 'addressDataFactory' => $this->addressDataFactoryMock, + 'currentCustomer' => $this->currentCustomerMock, + ] + ); + } + + public function testSetLayoutWithOwnAddressAndPostedData() + { + $addressId = 1; + $customerId = 1; + $title = __('Edit Address'); + $postedData = [ + 'region_id' => 1, + 'region' => 'region', + ]; + $newPostedData = $postedData; + $newPostedData['region'] = $postedData; + + $layoutMock = $this->getMockBuilder('Magento\Framework\View\LayoutInterface') + ->getMock(); + + $this->requestMock->expects($this->once()) + ->method('getParam') + ->with('id', null) + ->willReturn($addressId); + + $addressMock = $this->getMockBuilder('Magento\Customer\Api\Data\AddressInterface') + ->getMock(); + $this->addressRepositoryMock->expects($this->once()) + ->method('getById') + ->with($addressId) + ->willReturn($addressMock); + + $addressMock->expects($this->once()) + ->method('getCustomerId') + ->willReturn($customerId); + + $this->customerSessionMock->expects($this->at(0)) + ->method('getCustomerId') + ->willReturn($customerId); + + $addressMock->expects($this->exactly(2)) + ->method('getId') + ->willReturn($addressId); + + $pageTitleMock = $this->getMockBuilder('Magento\Framework\View\Page\Title') + ->disableOriginalConstructor() + ->getMock(); + $this->pageConfigMock->expects($this->once()) + ->method('getTitle') + ->willReturn($pageTitleMock); + + $pageTitleMock->expects($this->once()) + ->method('set') + ->with($title) + ->willReturnSelf(); + + $this->customerSessionMock->expects($this->at(1)) + ->method('getAddressFormData') + ->with(true) + ->willReturn($postedData); + + $this->dataObjectHelperMock->expects($this->once()) + ->method('populateWithArray') + ->with( + $addressMock, + $newPostedData, + '\Magento\Customer\Api\Data\AddressInterface' + )->willReturnSelf(); + + $this->assertEquals($this->model, $this->model->setLayout($layoutMock)); + $this->assertEquals($layoutMock, $this->model->getLayout()); + } + + public function testSetLayoutWithAlienAddress() + { + $addressId = 1; + $customerId = 1; + $customerPrefix = 'prefix'; + $customerFirstName = 'firstname'; + $customerMiddlename = 'middlename'; + $customerLastname = 'lastname'; + $customerSuffix = 'suffix'; + $title = __('Add New Address'); + + $layoutMock = $this->getMockBuilder('Magento\Framework\View\LayoutInterface') + ->getMock(); + + $this->requestMock->expects($this->once()) + ->method('getParam') + ->with('id', null) + ->willReturn($addressId); + + $addressMock = $this->getMockBuilder('Magento\Customer\Api\Data\AddressInterface') + ->getMock(); + $this->addressRepositoryMock->expects($this->once()) + ->method('getById') + ->with($addressId) + ->willReturn($addressMock); + + $addressMock->expects($this->once()) + ->method('getCustomerId') + ->willReturn($customerId); + + $this->customerSessionMock->expects($this->at(0)) + ->method('getCustomerId') + ->willReturn($customerId + 1); + + $newAddressMock = $this->getMockBuilder('Magento\Customer\Api\Data\AddressInterface') + ->getMock(); + $this->addressDataFactoryMock->expects($this->once()) + ->method('create') + ->with([]) + ->willReturn($newAddressMock); + + $customerMock = $this->getMockBuilder('Magento\Customer\Api\Data\CustomerInterface') + ->getMock(); + $this->currentCustomerMock->expects($this->once()) + ->method('getCustomer') + ->willReturn($customerMock); + + $customerMock->expects($this->once()) + ->method('getPrefix') + ->willReturn($customerPrefix); + $customerMock->expects($this->once()) + ->method('getFirstname') + ->willReturn($customerFirstName); + $customerMock->expects($this->once()) + ->method('getMiddlename') + ->willReturn($customerMiddlename); + $customerMock->expects($this->once()) + ->method('getLastname') + ->willReturn($customerLastname); + $customerMock->expects($this->once()) + ->method('getSuffix') + ->willReturn($customerSuffix); + + $newAddressMock->expects($this->once()) + ->method('setPrefix') + ->with($customerPrefix) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setFirstname') + ->with($customerFirstName) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setMiddlename') + ->with($customerMiddlename) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setLastname') + ->with($customerLastname) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setSuffix') + ->with($customerSuffix) + ->willReturnSelf(); + + $newAddressMock->expects($this->once()) + ->method('getId') + ->willReturn(null); + + $pageTitleMock = $this->getMockBuilder('Magento\Framework\View\Page\Title') + ->disableOriginalConstructor() + ->getMock(); + $this->pageConfigMock->expects($this->once()) + ->method('getTitle') + ->willReturn($pageTitleMock); + + $pageTitleMock->expects($this->once()) + ->method('set') + ->with($title) + ->willReturnSelf(); + + $this->assertEquals($this->model, $this->model->setLayout($layoutMock)); + $this->assertEquals($layoutMock, $this->model->getLayout()); + } + + public function testSetLayoutWithoutAddressId() + { + $customerPrefix = 'prefix'; + $customerFirstName = 'firstname'; + $customerMiddlename = 'middlename'; + $customerLastname = 'lastname'; + $customerSuffix = 'suffix'; + $title = 'title'; + + $layoutMock = $this->getMockBuilder('Magento\Framework\View\LayoutInterface') + ->getMock(); + + $this->requestMock->expects($this->once()) + ->method('getParam') + ->with('id', null) + ->willReturn(''); + + $newAddressMock = $this->getMockBuilder('Magento\Customer\Api\Data\AddressInterface') + ->getMock(); + $this->addressDataFactoryMock->expects($this->once()) + ->method('create') + ->with([]) + ->willReturn($newAddressMock); + + $customerMock = $this->getMockBuilder('Magento\Customer\Api\Data\CustomerInterface') + ->getMock(); + $this->currentCustomerMock->expects($this->once()) + ->method('getCustomer') + ->willReturn($customerMock); + + $customerMock->expects($this->once()) + ->method('getPrefix') + ->willReturn($customerPrefix); + $customerMock->expects($this->once()) + ->method('getFirstname') + ->willReturn($customerFirstName); + $customerMock->expects($this->once()) + ->method('getMiddlename') + ->willReturn($customerMiddlename); + $customerMock->expects($this->once()) + ->method('getLastname') + ->willReturn($customerLastname); + $customerMock->expects($this->once()) + ->method('getSuffix') + ->willReturn($customerSuffix); + + $newAddressMock->expects($this->once()) + ->method('setPrefix') + ->with($customerPrefix) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setFirstname') + ->with($customerFirstName) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setMiddlename') + ->with($customerMiddlename) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setLastname') + ->with($customerLastname) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setSuffix') + ->with($customerSuffix) + ->willReturnSelf(); + + $pageTitleMock = $this->getMockBuilder('Magento\Framework\View\Page\Title') + ->disableOriginalConstructor() + ->getMock(); + $this->pageConfigMock->expects($this->once()) + ->method('getTitle') + ->willReturn($pageTitleMock); + + $this->model->setData('title', $title); + + $pageTitleMock->expects($this->once()) + ->method('set') + ->with($title) + ->willReturnSelf(); + + $this->assertEquals($this->model, $this->model->setLayout($layoutMock)); + $this->assertEquals($layoutMock, $this->model->getLayout()); + } + + public function testSetLayoutWithoutAddress() + { + $addressId = 1; + $customerPrefix = 'prefix'; + $customerFirstName = 'firstname'; + $customerMiddlename = 'middlename'; + $customerLastname = 'lastname'; + $customerSuffix = 'suffix'; + $title = 'title'; + + $layoutMock = $this->getMockBuilder('Magento\Framework\View\LayoutInterface') + ->getMock(); + + $this->requestMock->expects($this->once()) + ->method('getParam') + ->with('id', null) + ->willReturn($addressId); + + $this->addressRepositoryMock->expects($this->once()) + ->method('getById') + ->with($addressId) + ->willThrowException( + \Magento\Framework\Exception\NoSuchEntityException::singleField('addressId', $addressId) + ); + + $newAddressMock = $this->getMockBuilder('Magento\Customer\Api\Data\AddressInterface') + ->getMock(); + $this->addressDataFactoryMock->expects($this->once()) + ->method('create') + ->with([]) + ->willReturn($newAddressMock); + + $customerMock = $this->getMockBuilder('Magento\Customer\Api\Data\CustomerInterface') + ->getMock(); + $this->currentCustomerMock->expects($this->once()) + ->method('getCustomer') + ->willReturn($customerMock); + + $customerMock->expects($this->once()) + ->method('getPrefix') + ->willReturn($customerPrefix); + $customerMock->expects($this->once()) + ->method('getFirstname') + ->willReturn($customerFirstName); + $customerMock->expects($this->once()) + ->method('getMiddlename') + ->willReturn($customerMiddlename); + $customerMock->expects($this->once()) + ->method('getLastname') + ->willReturn($customerLastname); + $customerMock->expects($this->once()) + ->method('getSuffix') + ->willReturn($customerSuffix); + + $newAddressMock->expects($this->once()) + ->method('setPrefix') + ->with($customerPrefix) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setFirstname') + ->with($customerFirstName) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setMiddlename') + ->with($customerMiddlename) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setLastname') + ->with($customerLastname) + ->willReturnSelf(); + $newAddressMock->expects($this->once()) + ->method('setSuffix') + ->with($customerSuffix) + ->willReturnSelf(); + + $pageTitleMock = $this->getMockBuilder('Magento\Framework\View\Page\Title') + ->disableOriginalConstructor() + ->getMock(); + $this->pageConfigMock->expects($this->once()) + ->method('getTitle') + ->willReturn($pageTitleMock); + + $this->model->setData('title', $title); + + $pageTitleMock->expects($this->once()) + ->method('set') + ->with($title) + ->willReturnSelf(); + + $this->assertEquals($this->model, $this->model->setLayout($layoutMock)); + $this->assertEquals($layoutMock, $this->model->getLayout()); + } +}