[API][Order] Fix orders extension to filter out carts for all users

This commit is contained in:
Grzegorz Sadowski 2021-04-26 12:19:32 +02:00
parent d0002910a2
commit 2987860b59
No known key found for this signature in database
GPG key ID: EF87FF4E6E3BD364
3 changed files with 11 additions and 18 deletions

View file

@ -16,6 +16,6 @@ Feature: Seeing customer's orders placed as guest
@ui @api
Scenario: Not being able to hijack another customer's orders
Given I registered with previously used "ned@stark.com" email and "lannistersAreDumb" password
And I log in as "ned@stark.com" with "lannistersAreDumb" password
When I log in as "ned@stark.com" with "lannistersAreDumb" password
And I browse my orders
Then I should see a single order in the list

View file

@ -17,7 +17,6 @@ use ApiPlatform\Core\Bridge\Doctrine\Orm\Extension\ContextAwareQueryCollectionEx
use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
use Doctrine\ORM\QueryBuilder;
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
use Sylius\Component\Core\Model\AdminUserInterface;
use Sylius\Component\Core\Model\CustomerInterface;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
@ -45,17 +44,12 @@ final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollection
}
$rootAlias = $queryBuilder->getRootAliases()[0];
$queryBuilder
->andWhere(sprintf('%s.state != :state', $rootAlias))
->setParameter('state', OrderInterface::STATE_CART)
;
$user = $this->userContext->getUser();
if ($user instanceof AdminUserInterface && in_array('ROLE_API_ACCESS', $user->getRoles(), true)) {
$queryBuilder
->andWhere(sprintf('%s.state != :state', $rootAlias))
->setParameter('state', OrderInterface::STATE_CART)
;
return;
}
if ($user instanceof ShopUserInterface) {
/** @var CustomerInterface $customer */
$customer = $user->getCustomer();
@ -64,8 +58,6 @@ final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollection
->andWhere(sprintf('%s.customer = :customer', $rootAlias))
->setParameter('customer', $customer)
;
return;
}
}
}

View file

@ -17,11 +17,11 @@ use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
use Doctrine\ORM\QueryBuilder;
use PhpSpec\ObjectBehavior;
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
use Sylius\Component\Core\Model\AdminUserInterface;
use Sylius\Component\Core\Model\CustomerInterface;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
use Sylius\Component\Resource\Model\ResourceInterface;
use Sylius\Component\User\Model\UserInterface;
class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
{
@ -41,14 +41,13 @@ class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
$this->applyToCollection($queryBuilder, $queryNameGenerator, ResourceInterface::class, 'get', []);
}
function it_filters_out_carts_if_current_user_is_an_admin_user(
function it_filters_out_carts_for_all_users(
UserContextInterface $userContext,
AdminUserInterface $user,
UserInterface $user,
QueryBuilder $queryBuilder,
QueryNameGeneratorInterface $queryNameGenerator
): void {
$userContext->getUser()->willReturn($user);
$user->getRoles()->willReturn(['ROLE_API_ACCESS']);
$queryBuilder->getRootAliases()->willReturn(['o']);
$queryBuilder->andWhere('o.state != :state')->shouldBeCalled()->willReturn($queryBuilder);
@ -68,7 +67,9 @@ class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
$user->getCustomer()->willReturn($customer);
$queryBuilder->getRootAliases()->willReturn(['o']);
$queryBuilder->andWhere('o.state != :state')->shouldBeCalled()->willReturn($queryBuilder);
$queryBuilder->andWhere('o.customer = :customer')->shouldBeCalled()->willReturn($queryBuilder);
$queryBuilder->setParameter('state', OrderInterface::STATE_CART)->shouldBeCalled()->willReturn($queryBuilder);
$queryBuilder->setParameter('customer', $customer)->shouldBeCalled()->willReturn($queryBuilder);
$this->applyToCollection($queryBuilder, $queryNameGenerator, OrderInterface::class, 'get', []);