GraphQL: updateCartItems mutation doesn't validate min/max qty #40400
Description
Preconditions and environment
- Magento version 2.4.8-p3 - fresh installation with sample data
- Product X is created with Qty 100, Maximum Qty Allowed in Shopping Cart = 5, Minimum Qty Allowed in Shopping Cart = 2
- Product X is added to the cart, cart ID, and cart item ID are known
Steps to reproduce
- Send the following graphQL request to the
/graphqlendpoint:
mutation updateCartItems($cartId: String!, $items: [CartItemUpdateInput!]!) {
updateCartItems(input: { cart_id: $cartId, cart_items: $items }) {
cart {
...cartQuery
}
}
}
fragment cartQuery on Cart {
id
shipping_addresses {
available_shipping_methods {
amount {
currency
value
}
available
carrier_code
carrier_title
error_message
method_code
method_title
price_excl_tax {
value
currency
}
price_incl_tax {
value
currency
}
}
selected_shipping_method {
amount {
value
currency
}
carrier_code
carrier_title
method_code
method_title
}
}
items {
prices {
price_including_tax {
currency
value
}
row_total {
currency
value
}
row_total_including_tax {
currency
value
}
price {
currency
value
}
total_item_discount {
value
}
}
product {
name
sku
url_key
thumbnail {
url
}
price {
regularPrice {
amount {
currency
value
}
}
}
}
... on ConfigurableCartItem {
configurable_options {
option_label
value_label
}
configured_variant {
thumbnail {
url
}
price_range {
maximum_price {
regular_price {
value
currency
}
}
}
}
}
quantity
uid
}
prices {
subtotal_including_tax {
currency
value
}
grand_total {
currency
value
}
discount {
amount {
currency
value
}
}
}
total_quantity
applied_coupons {
code
}
}
with variables like
{
"cartId": "KeXWTfWeaf4bBgZsdNYeyaYIyQ8Z7FUa",
"items": [
{
"cart_item_uid": "MTU=",
"quantity": 123
}
]
}
(replace cart ID and cart item ID with your values). Try to send multiple queries, consequently set quantity to values 1, 15, 5000.
Expected result
- Qty 1 returns an error message as it is below Minimum Qty Allowed in Shopping Cart
- Qty 15 returns an error message as it exceeds Maximum Qty Allowed in Shopping Cart
- Qty 5000 returns an error message as it exceeds Salable Qty.
Actual result
No errors returned in all cases. data.updateCartItems.cart.total_quantity considers the quantity sent in the request, not the real quantity in the cart (for example, when there's only one cart item in the cart, and it was updated to the quantity of 5000, data.updateCartItems.cart.total_quantity is equal to 5000, though in fact no more than 100 can be added).
Additional information
This was working before the upgrade to 2.4.8.
Release note
No response
Triage and priority
- Severity: S0 - Affects critical data or functionality and leaves users without workaround.
- Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
- Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
- Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
- Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.