mirror of
https://github.com/Sylius/Sylius.git
synced 2026-07-14 17:10:53 +00:00
Merge branch '1.9' into 1.10
* 1.9: Change application's version to v1.9.6-DEV Fix the security advisory PR Generate changelog for v1.9.5 Change application's version to v1.9.5 [API][Shop] Block access to order list by default [API][Shop] Hide order list details for guest users
This commit is contained in:
commit
54b7872c28
5 changed files with 91 additions and 8 deletions
|
|
@ -1,5 +1,34 @@
|
|||
# CHANGELOG FOR `1.9.X`
|
||||
|
||||
## v1.9.5 (2021-06-28)
|
||||
|
||||
#### TL;DR
|
||||
|
||||
**This is a security release!**
|
||||
|
||||
Fixes the follwing vulnerability:
|
||||
|
||||
- [List of order ids, number, items total and token value exposed for unauthorized uses via new API](https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v)
|
||||
|
||||
#### Details
|
||||
|
||||
- [#12596](https://github.com/Sylius/Sylius/issues/12596) Country api resource shouldn't have created/updated at ([@kayue](https://github.com/kayue))
|
||||
- [#12618](https://github.com/Sylius/Sylius/issues/12618) [Docs] Fix cookbook for custom entity ([@Tomanhez](https://github.com/Tomanhez))
|
||||
- [#12682](https://github.com/Sylius/Sylius/issues/12682) Use Symfony 5.2.* instead of ^5.2 for GitHub Actions ([@pamil](https://github.com/pamil))
|
||||
- [#12686](https://github.com/Sylius/Sylius/issues/12686) [DOCS] Cookbook for customizing refund process ([@arti0090](https://github.com/arti0090))
|
||||
- [#12687](https://github.com/Sylius/Sylius/issues/12687) Fix typo and imporve error message ([@dantleech](https://github.com/dantleech))
|
||||
- [#12690](https://github.com/Sylius/Sylius/issues/12690) [Doctrine] Fix problem with explicitly defining entity managers ([@GSadee](https://github.com/GSadee))
|
||||
- [#12698](https://github.com/Sylius/Sylius/issues/12698) Fix the build with Symfony 5.3 ([@pamil](https://github.com/pamil))
|
||||
- [#12699](https://github.com/Sylius/Sylius/issues/12699) [Documentation] Update templates directory in Themes doc ([@CoderMaggie](https://github.com/CoderMaggie))
|
||||
- [#12702](https://github.com/Sylius/Sylius/issues/12702) [Documentation] Fix Refund Process Cookbook ([@GSadee](https://github.com/GSadee))
|
||||
- [#12706](https://github.com/Sylius/Sylius/issues/12706) [Documentation] Tweaks on the refunds process cookbook ([@CoderMaggie](https://github.com/CoderMaggie), [@GSadee](https://github.com/GSadee))
|
||||
- [#12707](https://github.com/Sylius/Sylius/issues/12707) [Documentation] Fix links in the refunds process cookbook ([@GSadee](https://github.com/GSadee))
|
||||
- [#12715](https://github.com/Sylius/Sylius/issues/12715) [Dql] Add parameter instead of hardcoding it in where statement ([@SirDomin](https://github.com/SirDomin))
|
||||
- [#12720](https://github.com/Sylius/Sylius/issues/12720) [DQL] Change hardcoded enabled value to parameter in where statements ([@GSadee](https://github.com/GSadee))
|
||||
- [#12726](https://github.com/Sylius/Sylius/issues/12726) [DQL] Change hardcoded tracked value to parameter in where statements ([@lchrusciel](https://github.com/lchrusciel))
|
||||
- [#12731](https://github.com/Sylius/Sylius/issues/12731) Add cookbook with how to change tax address ([@arti0090](https://github.com/arti0090))
|
||||
- [#12748](https://github.com/Sylius/Sylius/issues/12748) [Documentation][Refund] Add cookbook about refund customization with improvements ([@AdamKasp](https://github.com/AdamKasp), [@GSadee](https://github.com/GSadee))
|
||||
|
||||
## v1.9.4 (2021-05-27)
|
||||
|
||||
#### Details
|
||||
|
|
|
|||
|
|
@ -9,17 +9,23 @@ Feature: Viewing orders on my account page
|
|||
And the store has "Angel T-Shirt" and "Green Arrow" products
|
||||
And the store ships everywhere for free
|
||||
And the store allows paying with "Cash on Delivery"
|
||||
And I am a logged in customer
|
||||
And there is another customer "oliver@teamarrow.com" that placed an order "#00000999"
|
||||
And the customer bought a single "Green Arrow"
|
||||
And the customer "Oliver Queen" addressed it to "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
|
||||
And the customer chose "Free" shipping method with "Cash on Delivery" payment
|
||||
|
||||
@ui @api
|
||||
Scenario: Viewing orders
|
||||
Given I am a logged in customer
|
||||
And I placed an order "#00000666"
|
||||
And I bought a single "Angel T-Shirt"
|
||||
And I addressed it to "Lucifer Morningstar", "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
|
||||
And I chose "Free" shipping method with "Cash on Delivery" payment
|
||||
And there is another customer "oliver@teamarrow.com" that placed an order "#00000999"
|
||||
And the customer bought a single "Green Arrow"
|
||||
And the customer "Oliver Queen" addressed it to "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
|
||||
|
||||
@ui @api
|
||||
Scenario: Viewing orders
|
||||
When I browse my orders
|
||||
Then I should see a single order in the list
|
||||
And this order should have "#00000666" number
|
||||
|
||||
@api
|
||||
Scenario: Viewing orders
|
||||
When I browse my orders
|
||||
Then I should be denied an access to order list
|
||||
|
|
|
|||
|
|
@ -299,6 +299,14 @@ final class OrderContext implements Context
|
|||
Assert::false($this->responseChecker->isShowSuccessful($this->client->getLastResponse()));
|
||||
}
|
||||
|
||||
/**
|
||||
* @Then I should be denied an access to order list
|
||||
*/
|
||||
public function iShouldDeniedAnAccessToOrderList(): void
|
||||
{
|
||||
Assert::true($this->responseChecker->hasAccessDenied($this->client->getLastResponse()));
|
||||
}
|
||||
|
||||
/**
|
||||
* @Then I should have :paymentMethod payment method on my order
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -17,9 +17,11 @@ use ApiPlatform\Core\Bridge\Doctrine\Orm\Extension\ContextAwareQueryCollectionEx
|
|||
use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
|
||||
use Doctrine\ORM\QueryBuilder;
|
||||
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
|
||||
use Sylius\Component\Core\Model\AdminUserInterface;
|
||||
use Sylius\Component\Core\Model\CustomerInterface;
|
||||
use Sylius\Component\Core\Model\OrderInterface;
|
||||
use Sylius\Component\Core\Model\ShopUserInterface;
|
||||
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||
|
||||
/** @experimental */
|
||||
final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollectionExtensionInterface
|
||||
|
|
@ -50,6 +52,11 @@ final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollection
|
|||
;
|
||||
|
||||
$user = $this->userContext->getUser();
|
||||
|
||||
if ($user instanceof AdminUserInterface) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ($user instanceof ShopUserInterface) {
|
||||
/** @var CustomerInterface $customer */
|
||||
$customer = $user->getCustomer();
|
||||
|
|
@ -58,6 +65,10 @@ final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollection
|
|||
->andWhere(sprintf('%s.customer = :customer', $rootAlias))
|
||||
->setParameter('customer', $customer)
|
||||
;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,11 +17,13 @@ use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
|
|||
use Doctrine\ORM\QueryBuilder;
|
||||
use PhpSpec\ObjectBehavior;
|
||||
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
|
||||
use Sylius\Component\Core\Model\AdminUserInterface;
|
||||
use Sylius\Component\Core\Model\CustomerInterface;
|
||||
use Sylius\Component\Core\Model\OrderInterface;
|
||||
use Sylius\Component\Core\Model\ShopUserInterface;
|
||||
use Sylius\Component\Resource\Model\ResourceInterface;
|
||||
use Sylius\Component\User\Model\UserInterface;
|
||||
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||
|
||||
class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
|
||||
{
|
||||
|
|
@ -43,7 +45,7 @@ class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
|
|||
|
||||
function it_filters_out_carts_for_all_users(
|
||||
UserContextInterface $userContext,
|
||||
UserInterface $user,
|
||||
AdminUserInterface $user,
|
||||
QueryBuilder $queryBuilder,
|
||||
QueryNameGeneratorInterface $queryNameGenerator
|
||||
): void {
|
||||
|
|
@ -74,4 +76,31 @@ class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
|
|||
|
||||
$this->applyToCollection($queryBuilder, $queryNameGenerator, OrderInterface::class, 'get', []);
|
||||
}
|
||||
|
||||
function it_throws_an_access_denied_exception_if_user_is_not_recognised(
|
||||
UserContextInterface $userContext,
|
||||
UserInterface $user,
|
||||
QueryBuilder $queryBuilder,
|
||||
QueryNameGeneratorInterface $queryNameGenerator
|
||||
): void {
|
||||
$userContext->getUser()->willReturn($user);
|
||||
|
||||
$queryBuilder->getRootAliases()->willReturn(['o']);
|
||||
$queryBuilder->andWhere('o.state != :state')->shouldBeCalled()->willReturn($queryBuilder);
|
||||
$queryBuilder->setParameter('state', OrderInterface::STATE_CART)->shouldBeCalled()->willReturn($queryBuilder);
|
||||
|
||||
$this
|
||||
->shouldThrow(AccessDeniedException::class)
|
||||
->during(
|
||||
'applyToCollection',
|
||||
[
|
||||
$queryBuilder,
|
||||
$queryNameGenerator,
|
||||
OrderInterface::class,
|
||||
'get',
|
||||
[],
|
||||
]
|
||||
)
|
||||
;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue