Merge branch '1.9' into 1.10

* 1.9:
  Change application's version to v1.9.6-DEV
  Fix the security advisory PR
  Generate changelog for v1.9.5
  Change application's version to v1.9.5
  [API][Shop] Block access to order list by default
  [API][Shop] Hide order list details for guest users
This commit is contained in:
Kamil Kokot 2021-06-28 15:36:41 +01:00
commit 54b7872c28
No known key found for this signature in database
GPG key ID: 7BD76F7054D93C89
5 changed files with 91 additions and 8 deletions

View file

@ -1,5 +1,34 @@
# CHANGELOG FOR `1.9.X`
## v1.9.5 (2021-06-28)
#### TL;DR
**This is a security release!**
Fixes the follwing vulnerability:
- [List of order ids, number, items total and token value exposed for unauthorized uses via new API](https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v)
#### Details
- [#12596](https://github.com/Sylius/Sylius/issues/12596) Country api resource shouldn't have created/updated at ([@kayue](https://github.com/kayue))
- [#12618](https://github.com/Sylius/Sylius/issues/12618) [Docs] Fix cookbook for custom entity ([@Tomanhez](https://github.com/Tomanhez))
- [#12682](https://github.com/Sylius/Sylius/issues/12682) Use Symfony 5.2.* instead of ^5.2 for GitHub Actions ([@pamil](https://github.com/pamil))
- [#12686](https://github.com/Sylius/Sylius/issues/12686) [DOCS] Cookbook for customizing refund process ([@arti0090](https://github.com/arti0090))
- [#12687](https://github.com/Sylius/Sylius/issues/12687) Fix typo and imporve error message ([@dantleech](https://github.com/dantleech))
- [#12690](https://github.com/Sylius/Sylius/issues/12690) [Doctrine] Fix problem with explicitly defining entity managers ([@GSadee](https://github.com/GSadee))
- [#12698](https://github.com/Sylius/Sylius/issues/12698) Fix the build with Symfony 5.3 ([@pamil](https://github.com/pamil))
- [#12699](https://github.com/Sylius/Sylius/issues/12699) [Documentation] Update templates directory in Themes doc ([@CoderMaggie](https://github.com/CoderMaggie))
- [#12702](https://github.com/Sylius/Sylius/issues/12702) [Documentation] Fix Refund Process Cookbook ([@GSadee](https://github.com/GSadee))
- [#12706](https://github.com/Sylius/Sylius/issues/12706) [Documentation] Tweaks on the refunds process cookbook ([@CoderMaggie](https://github.com/CoderMaggie), [@GSadee](https://github.com/GSadee))
- [#12707](https://github.com/Sylius/Sylius/issues/12707) [Documentation] Fix links in the refunds process cookbook ([@GSadee](https://github.com/GSadee))
- [#12715](https://github.com/Sylius/Sylius/issues/12715) [Dql] Add parameter instead of hardcoding it in where statement ([@SirDomin](https://github.com/SirDomin))
- [#12720](https://github.com/Sylius/Sylius/issues/12720) [DQL] Change hardcoded enabled value to parameter in where statements ([@GSadee](https://github.com/GSadee))
- [#12726](https://github.com/Sylius/Sylius/issues/12726) [DQL] Change hardcoded tracked value to parameter in where statements ([@lchrusciel](https://github.com/lchrusciel))
- [#12731](https://github.com/Sylius/Sylius/issues/12731) Add cookbook with how to change tax address ([@arti0090](https://github.com/arti0090))
- [#12748](https://github.com/Sylius/Sylius/issues/12748) [Documentation][Refund] Add cookbook about refund customization with improvements ([@AdamKasp](https://github.com/AdamKasp), [@GSadee](https://github.com/GSadee))
## v1.9.4 (2021-05-27)
#### Details

View file

@ -9,17 +9,23 @@ Feature: Viewing orders on my account page
And the store has "Angel T-Shirt" and "Green Arrow" products
And the store ships everywhere for free
And the store allows paying with "Cash on Delivery"
And I am a logged in customer
And there is another customer "oliver@teamarrow.com" that placed an order "#00000999"
And the customer bought a single "Green Arrow"
And the customer "Oliver Queen" addressed it to "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
And the customer chose "Free" shipping method with "Cash on Delivery" payment
@ui @api
Scenario: Viewing orders
Given I am a logged in customer
And I placed an order "#00000666"
And I bought a single "Angel T-Shirt"
And I addressed it to "Lucifer Morningstar", "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
And I chose "Free" shipping method with "Cash on Delivery" payment
And there is another customer "oliver@teamarrow.com" that placed an order "#00000999"
And the customer bought a single "Green Arrow"
And the customer "Oliver Queen" addressed it to "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
@ui @api
Scenario: Viewing orders
When I browse my orders
Then I should see a single order in the list
And this order should have "#00000666" number
@api
Scenario: Viewing orders
When I browse my orders
Then I should be denied an access to order list

View file

@ -299,6 +299,14 @@ final class OrderContext implements Context
Assert::false($this->responseChecker->isShowSuccessful($this->client->getLastResponse()));
}
/**
* @Then I should be denied an access to order list
*/
public function iShouldDeniedAnAccessToOrderList(): void
{
Assert::true($this->responseChecker->hasAccessDenied($this->client->getLastResponse()));
}
/**
* @Then I should have :paymentMethod payment method on my order
*/

View file

@ -17,9 +17,11 @@ use ApiPlatform\Core\Bridge\Doctrine\Orm\Extension\ContextAwareQueryCollectionEx
use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
use Doctrine\ORM\QueryBuilder;
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
use Sylius\Component\Core\Model\AdminUserInterface;
use Sylius\Component\Core\Model\CustomerInterface;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
/** @experimental */
final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollectionExtensionInterface
@ -50,6 +52,11 @@ final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollection
;
$user = $this->userContext->getUser();
if ($user instanceof AdminUserInterface) {
return;
}
if ($user instanceof ShopUserInterface) {
/** @var CustomerInterface $customer */
$customer = $user->getCustomer();
@ -58,6 +65,10 @@ final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollection
->andWhere(sprintf('%s.customer = :customer', $rootAlias))
->setParameter('customer', $customer)
;
return;
}
throw new AccessDeniedException();
}
}

View file

@ -17,11 +17,13 @@ use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
use Doctrine\ORM\QueryBuilder;
use PhpSpec\ObjectBehavior;
use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
use Sylius\Component\Core\Model\AdminUserInterface;
use Sylius\Component\Core\Model\CustomerInterface;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\Model\ShopUserInterface;
use Sylius\Component\Resource\Model\ResourceInterface;
use Sylius\Component\User\Model\UserInterface;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
{
@ -43,7 +45,7 @@ class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
function it_filters_out_carts_for_all_users(
UserContextInterface $userContext,
UserInterface $user,
AdminUserInterface $user,
QueryBuilder $queryBuilder,
QueryNameGeneratorInterface $queryNameGenerator
): void {
@ -74,4 +76,31 @@ class OrdersByLoggedInUserExtensionSpec extends ObjectBehavior
$this->applyToCollection($queryBuilder, $queryNameGenerator, OrderInterface::class, 'get', []);
}
function it_throws_an_access_denied_exception_if_user_is_not_recognised(
UserContextInterface $userContext,
UserInterface $user,
QueryBuilder $queryBuilder,
QueryNameGeneratorInterface $queryNameGenerator
): void {
$userContext->getUser()->willReturn($user);
$queryBuilder->getRootAliases()->willReturn(['o']);
$queryBuilder->andWhere('o.state != :state')->shouldBeCalled()->willReturn($queryBuilder);
$queryBuilder->setParameter('state', OrderInterface::STATE_CART)->shouldBeCalled()->willReturn($queryBuilder);
$this
->shouldThrow(AccessDeniedException::class)
->during(
'applyToCollection',
[
$queryBuilder,
$queryNameGenerator,
OrderInterface::class,
'get',
[],
]
)
;
}
}