ENGCOM-4295: Fix for getting shipping/billing address data of any other customer #376

 - Merge Pull Request magento/graphql-ce#376 from magento/graphql-ce:375-unauthorized-quote-address-fix
 - Merged commits:
   1. 5af7a1b
   2. 6170993
   3. 044985d
   4. 1c9fad2
   5. 9491c01
   6. 1301a42
   7. fa5613b
   8. dde488f

Author: magento-engcom-team

app/code/Magento/QuoteGraphQl/Model/Cart/GetCustomerAddress.php

@@ -0,0 +1,65 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\QuoteGraphQl\Model\Cart;
+
+use Magento\Customer\Api\AddressRepositoryInterface;
+use Magento\Customer\Api\Data\AddressInterface;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Exception\NoSuchEntityException;
+use Magento\Framework\GraphQl\Exception\GraphQlAuthorizationException;
+use Magento\Framework\GraphQl\Exception\GraphQlNoSuchEntityException;
+
+/**
+ * Get customer address. Throws exception if customer is not owner of address
+ */
+class GetCustomerAddress
+{
+    /**
+     * @var AddressRepositoryInterface
+     */
+    private $addressRepository;
+
+    /**
+     * @param AddressRepositoryInterface $addressRepository
+     */
+    public function __construct(AddressRepositoryInterface $addressRepository)
+    {
+        $this->addressRepository = $addressRepository;
+    }
+
+    /**
+     * Get customer address. Throws exception if customer is not owner of address
+     *
+     * @param int $addressId
+     * @param int $customerId
+     * @return AddressInterface
+     * @throws GraphQlAuthorizationException
+     * @throws GraphQlNoSuchEntityException
+     * @throws LocalizedException
+     */
+    public function execute(int $addressId, int $customerId): AddressInterface
+    {
+        try {
+            $customerAddress = $this->addressRepository->getById($addressId);
+        } catch (NoSuchEntityException $e) {
+            throw new GraphQlNoSuchEntityException(
+                __('Could not find a address with ID "%address_id"', ['address_id' => $addressId])
+            );
+        }
+
+        if ((int)$customerAddress->getCustomerId() !== $customerId) {
+            throw new GraphQlAuthorizationException(
+                __(
+                    'The current user cannot use address with ID "%address_id"',
+                    ['address_id' => $addressId]
+                )
+            );
+        }
+        return $customerAddress;
+    }
+}

app/code/Magento/QuoteGraphQl/Model/Cart/SetBillingAddressOnCart.php

@@ -7,7 +7,6 @@
 
 namespace Magento\QuoteGraphQl\Model\Cart;
 
-use Magento\Customer\Api\Data\AddressInterface;
 use Magento\CustomerGraphQl\Model\Customer\CheckCustomerAccount;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\Resolver\ContextInterface;
@@ -26,11 +25,6 @@ class SetBillingAddressOnCart
      */
     private $billingAddressManagement;
 
-    /**
-     * @var AddressRepositoryInterface
-     */
-    private $addressRepository;
-
     /**
      * @var Address
      */
@@ -41,26 +35,40 @@ class SetBillingAddressOnCart
      */
     private $checkCustomerAccount;
 
+    /**
+     * @var GetCustomerAddress
+     */
+    private $getCustomerAddress;
+
     /**
      * @param BillingAddressManagementInterface $billingAddressManagement
      * @param AddressRepositoryInterface $addressRepository
      * @param Address $addressModel
      * @param CheckCustomerAccount $checkCustomerAccount
+     * @param GetCustomerAddress $getCustomerAddress
      */
     public function __construct(
         BillingAddressManagementInterface $billingAddressManagement,
         AddressRepositoryInterface $addressRepository,
         Address $addressModel,
-        CheckCustomerAccount $checkCustomerAccount
+        CheckCustomerAccount $checkCustomerAccount,
+        GetCustomerAddress $getCustomerAddress
     ) {
         $this->billingAddressManagement = $billingAddressManagement;
         $this->addressRepository = $addressRepository;
         $this->addressModel = $addressModel;
         $this->checkCustomerAccount = $checkCustomerAccount;
+        $this->getCustomerAddress = $getCustomerAddress;
     }
 
     /**
-     * @inheritdoc
+     * Set billing address for a specified shopping cart
+     *
+     * @param ContextInterface $context
+     * @param CartInterface $cart
+     * @param array $billingAddress
+     * @return void
+     * @throws GraphQlInputException
      */
     public function execute(ContextInterface $context, CartInterface $cart, array $billingAddress): void
     {
@@ -88,9 +96,7 @@ public function execute(ContextInterface $context, CartInterface $cart, array $b
             $billingAddress = $this->addressModel->addData($addressInput);
         } else {
             $this->checkCustomerAccount->execute($context->getUserId(), $context->getUserType());
-
-            /** @var AddressInterface $customerAddress */
-            $customerAddress = $this->addressRepository->getById($customerAddressId);
+            $customerAddress = $this->getCustomerAddress->execute((int)$customerAddressId, (int)$context->getUserId());
             $billingAddress = $this->addressModel->importCustomerAddressData($customerAddress);
         }
 

app/code/Magento/QuoteGraphQl/Model/Cart/SetShippingAddressOnCart.php

@@ -7,14 +7,12 @@
 
 namespace Magento\QuoteGraphQl\Model\Cart;
 
-use Magento\Customer\Api\Data\AddressInterface;
 use Magento\CustomerGraphQl\Model\Customer\CheckCustomerAccount;
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\GraphQl\Query\Resolver\ContextInterface;
 use Magento\Quote\Api\Data\CartInterface;
 use Magento\Quote\Model\Quote\Address;
 use Magento\Quote\Model\ShippingAddressManagementInterface;
-use Magento\Customer\Api\AddressRepositoryInterface;
 
 /**
  * Set single shipping address for a specified shopping cart
@@ -26,11 +24,6 @@ class SetShippingAddressOnCart implements SetShippingAddressesOnCartInterface
      */
     private $shippingAddressManagement;
 
-    /**
-     * @var AddressRepositoryInterface
-     */
-    private $addressRepository;
-
     /**
      * @var Address
      */
@@ -41,26 +34,36 @@ class SetShippingAddressOnCart implements SetShippingAddressesOnCartInterface
      */
     private $checkCustomerAccount;
 
+    /**
+     * @var GetCustomerAddress
+     */
+    private $getCustomerAddress;
+
     /**
      * @param ShippingAddressManagementInterface $shippingAddressManagement
-     * @param AddressRepositoryInterface $addressRepository
      * @param Address $addressModel
      * @param CheckCustomerAccount $checkCustomerAccount
+     * @param GetCustomerAddress $getCustomerAddress
      */
     public function __construct(
         ShippingAddressManagementInterface $shippingAddressManagement,
-        AddressRepositoryInterface $addressRepository,
         Address $addressModel,
-        CheckCustomerAccount $checkCustomerAccount
+        CheckCustomerAccount $checkCustomerAccount,
+        GetCustomerAddress $getCustomerAddress
     ) {
         $this->shippingAddressManagement = $shippingAddressManagement;
-        $this->addressRepository = $addressRepository;
         $this->addressModel = $addressModel;
         $this->checkCustomerAccount = $checkCustomerAccount;
+        $this->getCustomerAddress = $getCustomerAddress;
     }
 
     /**
      * @inheritdoc
+     *
+     * @param ContextInterface $context
+     * @param CartInterface $cart
+     * @param array $shippingAddresses
+     * @throws GraphQlInputException
      */
     public function execute(ContextInterface $context, CartInterface $cart, array $shippingAddresses): void
     {
@@ -87,9 +90,7 @@ public function execute(ContextInterface $context, CartInterface $cart, array $s
             $shippingAddress = $this->addressModel->addData($addressInput);
         } else {
             $this->checkCustomerAccount->execute($context->getUserId(), $context->getUserType());
-
-            /** @var AddressInterface $customerAddress */
-            $customerAddress = $this->addressRepository->getById($customerAddressId);
+            $customerAddress = $this->getCustomerAddress->execute((int)$customerAddressId, (int)$context->getUserId());
             $shippingAddress = $this->addressModel->importCustomerAddressData($customerAddress);
         }
 

app/code/Magento/QuoteGraphQl/Model/Resolver/SetShippingAddressesOnCart.php

@@ -12,7 +12,6 @@
 use Magento\Framework\GraphQl\Query\ResolverInterface;
 use Magento\Framework\GraphQl\Schema\Type\ResolveInfo;
 use Magento\Framework\Stdlib\ArrayManager;
-use Magento\Quote\Model\MaskedQuoteIdToQuoteIdInterface;
 use Magento\Quote\Model\ShippingAddressManagementInterface;
 use Magento\QuoteGraphQl\Model\Cart\GetCartForUser;
 use Magento\QuoteGraphQl\Model\Cart\SetShippingAddressesOnCartInterface;
@@ -24,11 +23,6 @@
  */
 class SetShippingAddressesOnCart implements ResolverInterface
 {
-    /**
-     * @var MaskedQuoteIdToQuoteIdInterface
-     */
-    private $maskedQuoteIdToQuoteId;
-
     /**
      * @var ShippingAddressManagementInterface
      */
@@ -50,20 +44,17 @@ class SetShippingAddressesOnCart implements ResolverInterface
     private $setShippingAddressesOnCart;
 
     /**
-     * @param MaskedQuoteIdToQuoteIdInterface $maskedQuoteIdToQuoteId
      * @param ShippingAddressManagementInterface $shippingAddressManagement
      * @param GetCartForUser $getCartForUser
      * @param ArrayManager $arrayManager
      * @param SetShippingAddressesOnCartInterface $setShippingAddressesOnCart
      */
     public function __construct(
-        MaskedQuoteIdToQuoteIdInterface $maskedQuoteIdToQuoteId,
         ShippingAddressManagementInterface $shippingAddressManagement,
         GetCartForUser $getCartForUser,
         ArrayManager $arrayManager,
         SetShippingAddressesOnCartInterface $setShippingAddressesOnCart
     ) {
-        $this->maskedQuoteIdToQuoteId = $maskedQuoteIdToQuoteId;
         $this->shippingAddressManagement = $shippingAddressManagement;
         $this->getCartForUser = $getCartForUser;
         $this->arrayManager = $arrayManager;
@@ -76,16 +67,16 @@ public function __construct(
     public function resolve(Field $field, $context, ResolveInfo $info, array $value = null, array $args = null)
     {
         $shippingAddresses = $this->arrayManager->get('input/shipping_addresses', $args);
-        $maskedCartId = $this->arrayManager->get('input/cart_id', $args);
+        $maskedCartId = (string) $this->arrayManager->get('input/cart_id', $args);
 
         if (!$maskedCartId) {
             throw new GraphQlInputException(__('Required parameter "cart_id" is missing'));
         }
+
         if (!$shippingAddresses) {
             throw new GraphQlInputException(__('Required parameter "shipping_addresses" is missing'));
         }
 
-        $maskedCartId = $args['input']['cart_id'];
         $cart = $this->getCartForUser->execute($maskedCartId, $context->getUserId());
 
         $this->setShippingAddressesOnCart->execute($context, $cart, $shippingAddresses);

app/code/Magento/QuoteGraphQl/etc/schema.graphqls

@@ -65,8 +65,8 @@ input SetShippingMethodsOnCartInput {
 
 input ShippingMethodForAddressInput {
     cart_address_id: Int!
-    shipping_carrier_code: String!
-    shipping_method_code: String!
+    carrier_code: String!
+    method_code: String!
 }
 
 type SetBillingAddressOnCartOutput {
@@ -117,7 +117,7 @@ type CartAddress {
     country: CartAddressCountry
     telephone: String
     address_type: AdressTypeEnum
-    selected_shipping_method: ShippingMethod
+    selected_shipping_method: SelectedShippingMethod
     available_shipping_methods: [AvailableShippingMethod] @resolver(class: "\\Magento\\QuoteGraphQl\\Model\\Resolver\\ShippingAdress\\AvailableShippingMethods")
     items_weight: Float
     customer_notes: String
@@ -139,15 +139,8 @@ type CartAddressCountry {
     label: String
 }
 
-type ShippingMethod {
-    code: String
-    label: String
-    free_shipping: Boolean!
-    error_message: String
+type SelectedShippingMethod {
     amount: Float!
-    base_amount: Float!
-    amount_incl_tax: Float!
-    base_amount_incl_tax: Float!
 }
 
 type AvailableShippingMethod {