#26089: Customer Sharing Options not respected in REST API.

p-bystritsky · p-bystritsky · commit ddee80419bf1 · 2020-05-13T18:59:20.000+03:00
diff --git a/app/code/Magento/Customer/Model/Plugin/CustomerAuthorization.php b/app/code/Magento/Customer/Model/Plugin/CustomerAuthorization.php
@@ -7,7 +7,9 @@
 namespace Magento\Customer\Model\Plugin;
 
 use Magento\Authorization\Model\UserContextInterface;
+use Magento\Customer\Model\CustomerFactory;
 use Magento\Integration\Api\AuthorizationServiceInterface as AuthorizationService;
+use Magento\Store\Model\StoreManagerInterface;
 
 /**
  * Plugin around \Magento\Framework\Authorization::isAllowed
@@ -19,16 +21,33 @@ class CustomerAuthorization
     /**
      * @var UserContextInterface
      */
-    protected $userContext;
+    private $userContext;
+
+    /**
+     * @var StoreManagerInterface
+     */
+    private $storeManager;
+
+    /**
+     * @var CustomerFactory
+     */
+    private $customerFactory;
 
     /**
      * Inject dependencies.
      *
      * @param UserContextInterface $userContext
+     * @param CustomerFactory $customerFactory
+     * @param StoreManagerInterface $storeManager
      */
-    public function __construct(UserContextInterface $userContext)
-    {
+    public function __construct(
+        UserContextInterface $userContext,
+        CustomerFactory $customerFactory,
+        StoreManagerInterface $storeManager
+    ) {
         $this->userContext = $userContext;
+        $this->customerFactory = $customerFactory;
+        $this->storeManager = $storeManager;
     }
 
     /**
@@ -53,9 +72,14 @@ public function aroundIsAllowed(
             && $this->userContext->getUserId()
             && $this->userContext->getUserType() === UserContextInterface::USER_TYPE_CUSTOMER
         ) {
-            return true;
-        } else {
-            return $proceed($resource, $privilege);
+            $customer = $this->customerFactory->create()->load($this->userContext->getUserId());
+            $currentStoreId = $this->storeManager->getStore()->getId();
+            $sharedStoreIds = $customer->getSharedStoreIds();
+            if (in_array($currentStoreId, $sharedStoreIds)) {
+                return true;
+            }
         }
+
+        return $proceed($resource, $privilege);
     }
 }
diff --git a/dev/tests/api-functional/testsuite/Magento/Customer/Api/CustomerSharingOptionsTest.php b/dev/tests/api-functional/testsuite/Magento/Customer/Api/CustomerSharingOptionsTest.php
@@ -0,0 +1,211 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Customer\Api;
+
+use Magento\Customer\Api\Data\CustomerInterface;
+use Magento\Customer\Model\CustomerRegistry;
+use Magento\Framework\Registry;
+use Magento\Framework\Webapi\Rest\Request;
+use Magento\Integration\Api\CustomerTokenServiceInterface;
+use Magento\Integration\Model\Oauth\Token as TokenModel;
+use Magento\TestFramework\Helper\Bootstrap;
+use Magento\TestFramework\Helper\Customer as CustomerHelper;
+use Magento\TestFramework\TestCase\WebapiAbstract;
+
+/**
+ * @magentoApiDataFixture Magento/Customer/_files/customer.php
+ * @magentoApiDataFixture Magento/Store/_files/second_website_with_two_stores.php
+ */
+class CustomerSharingOptionsTest extends WebapiAbstract
+{
+    const RESOURCE_PATH = '/V1/customers/me';
+    const REPO_SERVICE = 'customerCustomerRepositoryV1';
+    const SERVICE_VERSION = 'V1';
+
+    /**
+     * @var CustomerRepositoryInterface
+     */
+    private $customerRepository;
+
+    /**
+     * @var CustomerRegistry
+     */
+    private $customerRegistry;
+
+    /**
+     * @var CustomerHelper
+     */
+    private $customerHelper;
+
+    /**
+     * @var TokenModel
+     */
+    private $token;
+
+    /**
+     * @var CustomerInterface
+     */
+    private $customerData;
+
+    /**
+     * @var CustomerTokenServiceInterface
+     */
+    private $tokenService;
+
+    /**
+     * Execute per test initialization.
+     */
+    public function setUp()
+    {
+        $this->customerRegistry = Bootstrap::getObjectManager()->get(
+            \Magento\Customer\Model\CustomerRegistry::class
+        );
+
+        $this->customerRepository = Bootstrap::getObjectManager()->get(
+            CustomerRepositoryInterface::class,
+            ['customerRegistry' => $this->customerRegistry]
+        );
+
+        $this->customerHelper = new CustomerHelper();
+        $this->customerData = $this->customerHelper->createSampleCustomer();
+        $this->tokenService = Bootstrap::getObjectManager()->get(CustomerTokenServiceInterface::class);
+
+        // get token
+        $this->resetTokenForCustomerSampleData();
+    }
+
+    /**
+     * Ensure that fixture customer and his addresses are deleted.
+     */
+    public function tearDown()
+    {
+        $this->customerRepository = null;
+
+        /** @var Registry $registry */
+        $registry = Bootstrap::getObjectManager()->get(Registry::class);
+        $registry->unregister('isSecureArea');
+        $registry->register('isSecureArea', true);
+
+        $registry->unregister('isSecureArea');
+        $registry->register('isSecureArea', false);
+        parent::tearDown();
+    }
+
+    /**
+     * @param string $storeCode
+     * @param bool $expectingException
+     * @dataProvider getCustomerDataWebsiteScopeDataProvider
+     *
+     * @magentoConfigFixture customer/account_share/scope 1
+     */
+    public function testGetCustomerDataWebsiteScope(string $storeCode, bool $expectingException)
+    {
+        $this->processGetCustomerData($storeCode, $expectingException);
+    }
+
+    /**
+     * @param string $storeCode
+     * @param bool $expectingException
+     * @dataProvider getCustomerDataGlobalScopeDataProvider
+     *
+     * @magentoConfigFixture customer/account_share/scope 0
+     */
+    public function testGetCustomerDataGlobalScope(string $storeCode, bool $expectingException)
+    {
+        $this->processGetCustomerData($storeCode, $expectingException);
+    }
+
+    /**
+     * @param string $storeCode
+     * @param bool $expectingException
+     */
+    private function processGetCustomerData(string $storeCode, bool $expectingException)
+    {
+        $serviceInfo = [
+            'rest' => [
+                'resourcePath' => self::RESOURCE_PATH,
+                'httpMethod' => Request::HTTP_METHOD_GET,
+                'token' => $this->token,
+            ],
+            'soap' => [
+                'service' => self::REPO_SERVICE,
+                'serviceVersion' => self::SERVICE_VERSION,
+                'operation' => self::REPO_SERVICE . 'GetSelf',
+                'token' => $this->token
+            ]
+        ];
+        $arguments = [];
+        if (TESTS_WEB_API_ADAPTER === 'soap') {
+            $arguments['customerId'] = 0;
+        }
+        if ($expectingException) {
+            $this->expectException(\Exception::class);
+            $this->expectExceptionMessage("The consumer isn't authorized to access %resources.");
+        }
+
+        $this->_webApiCall($serviceInfo, $arguments, null, $storeCode);
+    }
+
+    /**
+     * Data provider for testGetCustomerDataWebsiteScope.
+     *
+     * @return array
+     */
+    public function getCustomerDataWebsiteScopeDataProvider(): array
+    {
+        return [
+            'Default Store View' => [
+                'store_code' => 'default',
+                'exception' => false
+            ],
+            'Custom Store View' => [
+                'store_code' => 'fixture_second_store',
+                'exception' => true
+            ]
+        ];
+    }
+
+    /**
+     * Data provider for testGetCustomerDataGlobalScope.
+     *
+     * @return array
+     */
+    public function getCustomerDataGlobalScopeDataProvider(): array
+    {
+        return [
+            'Default Store View' => [
+                'store_code' => 'default',
+                'exception' => false
+            ],
+            'Custom Store View' => [
+                'store_code' => 'fixture_second_store',
+                'exception' => false
+            ]
+        ];
+    }
+
+    /**
+     * Sets the test's access token for the created customer sample data
+     */
+    private function resetTokenForCustomerSampleData()
+    {
+        $this->resetTokenForCustomer($this->customerData[CustomerInterface::EMAIL], 'test@123');
+    }
+
+    /**
+     * Sets the test's access token for a particular username and password.
+     *
+     * @param string $username
+     * @param string $password
+     */
+    private function resetTokenForCustomer($username, $password)
+    {
+        $this->token = $this->tokenService->createCustomerAccessToken($username, $password);
+        $this->customerRegistry->remove($this->customerRepository->get($username)->getId());
+    }
+}
