cia-2.4.8-beta1-develop-bugfix-05202024: resolve conflict

pawan-adobe-security · pawan-adobe-security · commit 0a71a5951576 · 2024-05-20T18:54:35.000+05:30
diff --git a/app/code/Magento/Quote/Plugin/ValidateQuoteOrigOrder.php b/app/code/Magento/Quote/Plugin/ValidateQuoteOrigOrder.php
@@ -0,0 +1,65 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Quote\Plugin;
+
+use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Framework\Webapi\Rest\Request as RestRequest;
+use Magento\Quote\Api\CartRepositoryInterface;
+use Magento\Quote\Api\Data\CartInterface;
+use Magento\Sales\Api\OrderRepositoryInterface;
+
+/**
+ * Validate order id from request param
+ */
+class ValidateQuoteOrigOrder
+{
+    /**
+     * @var OrderRepositoryInterface
+     */
+    private $orderRepository;
+
+    /**
+     * @var RestRequest $request
+     */
+    private $request;
+
+    /**
+     * @param RestRequest $request
+     * @param OrderRepositoryInterface $orderRepository
+     */
+    public function __construct(RestRequest $request, OrderRepositoryInterface $orderRepository)
+    {
+        $this->request = $request;
+        $this->orderRepository = $orderRepository;
+    }
+
+    /**
+     * Validate the user authorization to order
+     *
+     * @param CartRepositoryInterface $cartRepository
+     * @param CartInterface $quote
+     * @return void
+     * @throws NoSuchEntityException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeSave(
+        CartRepositoryInterface $cartRepository,
+        CartInterface $quote
+    ): void {
+        $params = $this->request->getBodyParams();
+        if (!empty($params) && isset($params['quote']['orig_order_id'])) {
+            $orderId = $params['quote']['orig_order_id'];
+            $order = $this->orderRepository->get($orderId);
+            $orderCustomer = (int)$order->getCustomerId();
+            if ($quote->getCustomerId() !== $orderCustomer) {
+                throw new NoSuchEntityException(__('Please check input parameters.'));
+            }
+        }
+    }
+}
diff --git a/app/code/Magento/Quote/etc/webapi_rest/di.xml b/app/code/Magento/Quote/etc/webapi_rest/di.xml
@@ -19,4 +19,7 @@
     <type name="Magento\Quote\Model\Quote">
         <plugin name="updateQuoteStoreId" type="Magento\Quote\Model\Quote\Plugin\UpdateQuoteStoreId" />
     </type>
+    <type name="Magento\Quote\Api\CartRepositoryInterface">
+        <plugin name="quoteValidateOrderId" type="Magento\Quote\Plugin\ValidateQuoteOrigOrder"/>
+    </type>
 </config>
diff --git a/app/code/Magento/Quote/i18n/en_US.csv b/app/code/Magento/Quote/i18n/en_US.csv
@@ -74,3 +74,4 @@ Carts,Carts
 "Please select a valid rate limit period in seconds: %1.","Please select a valid rate limit period in seconds: %1."
 "Identity type not found","Identity type not found"
 "Invalid order backpressure limit config","Invalid order backpressure limit config"
+"Please check input parameters.","Please check input parameters."
