Merge pull request #5808 from magento-tsg/2.3.6-develop-pr138

[TSG] Fixes for 2.3 (pr138) (2.3.6-develop)

app/code/Magento/Cms/etc/webapi.xml

@@ -23,19 +23,19 @@
     <route url="/V1/cmsPage" method="POST">
         <service class="Magento\Cms\Api\PageRepositoryInterface" method="save"/>
         <resources>
-            <resource ref="Magento_Cms::page"/>
+            <resource ref="Magento_Cms::save"/>
         </resources>
     </route>
     <route url="/V1/cmsPage/:id" method="PUT">
         <service class="Magento\Cms\Api\PageRepositoryInterface" method="save"/>
         <resources>
-            <resource ref="Magento_Cms::page"/>
+            <resource ref="Magento_Cms::save"/>
         </resources>
     </route>
     <route url="/V1/cmsPage/:pageId" method="DELETE">
         <service class="Magento\Cms\Api\PageRepositoryInterface" method="deleteById"/>
         <resources>
-            <resource ref="Magento_Cms::page"/>
+            <resource ref="Magento_Cms::page_delete"/>
         </resources>
     </route>
     <!-- Cms Block -->

app/code/Magento/Customer/etc/webapi.xml

@@ -228,7 +228,7 @@
     <route url="/V1/customers/:customerId" method="DELETE">
         <service class="Magento\Customer\Api\CustomerRepositoryInterface" method="deleteById"/>
         <resources>
-            <resource ref="Magento_Customer::manage"/>
+            <resource ref="Magento_Customer::delete"/>
         </resources>
     </route>
     <route url="/V1/customers/isEmailAvailable" method="POST">

app/code/Magento/Paypal/Test/Mftf/Test/StorefrontPaypalSmartButtonInCheckoutPageTest.xml

@@ -17,6 +17,9 @@
             <severity value="CRITICAL"/>
             <testCaseId value="MC-13690"/>
             <group value="paypal"/>
+            <skip>
+                <issueId value="MC-35083"/>
+            </skip>
         </annotations>
         <before>
 

dev/tests/api-functional/testsuite/Magento/Cms/Api/PageRepositoryTest.php

@@ -421,7 +421,7 @@ public function testSaveDesign(): void
         /** @var Rules $rules */
         $rules = $this->rulesFactory->create();
         $rules->setRoleId($role->getId());
-        $rules->setResources(['Magento_Cms::page']);
+        $rules->setResources(['Magento_Cms::save']);
         $rules->saveRel();
         //Using the admin user with custom role.
         $token = $this->adminTokens->createAdminAccessToken(
@@ -471,7 +471,7 @@ public function testSaveDesign(): void
         /** @var Rules $rules */
         $rules = Bootstrap::getObjectManager()->create(Rules::class);
         $rules->setRoleId($role->getId());
-        $rules->setResources(['Magento_Cms::page', 'Magento_Cms::save_design']);
+        $rules->setResources(['Magento_Cms::save', 'Magento_Cms::save_design']);
         $rules->saveRel();
         //Making the same request with design settings.
         $result = $this->_webApiCall($serviceInfo, $requestData);
@@ -486,7 +486,7 @@ public function testSaveDesign(): void
         /** @var Rules $rules */
         $rules = Bootstrap::getObjectManager()->create(Rules::class);
         $rules->setRoleId($role->getId());
-        $rules->setResources(['Magento_Cms::page']);
+        $rules->setResources(['Magento_Cms::save']);
         $rules->saveRel();
         //Updating the page but with the same design properties values.
         $result = $this->_webApiCall($serviceInfo, $requestData);

dev/tests/api-functional/testsuite/Magento/Customer/Api/CustomerRepositoryTest.php

@@ -8,11 +8,23 @@
 
 use Magento\Customer\Api\Data\CustomerInterface as Customer;
 use Magento\Customer\Api\Data\AddressInterface as Address;
+use Magento\Customer\Api\Data\CustomerInterfaceFactory;
+use Magento\Customer\Model\CustomerRegistry;
+use Magento\Framework\Api\DataObjectHelper;
+use Magento\Framework\Api\FilterBuilder;
+use Magento\Framework\Api\Search\FilterGroupBuilder;
+use Magento\Framework\Api\SearchCriteriaBuilder;
+use Magento\Framework\Api\SearchCriteriaInterface;
 use Magento\Framework\Api\SortOrder;
+use Magento\Framework\Api\SortOrderBuilder;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Reflection\DataObjectProcessor;
 use Magento\Framework\Webapi\Rest\Request;
 use Magento\Integration\Api\CustomerTokenServiceInterface;
+use Magento\Integration\Api\IntegrationServiceInterface;
+use Magento\Integration\Api\OauthServiceInterface;
+use Magento\Integration\Model\Integration;
 use Magento\TestFramework\Helper\Bootstrap;
 use Magento\TestFramework\Helper\Customer as CustomerHelper;
 use Magento\TestFramework\TestCase\WebapiAbstract;
@@ -92,34 +104,20 @@ class CustomerRepositoryTest extends WebapiAbstract
      */
     public function setUp()
     {
-        $this->customerRegistry = Bootstrap::getObjectManager()->get(
-            \Magento\Customer\Model\CustomerRegistry::class
-        );
+        $this->customerRegistry = Bootstrap::getObjectManager()->get(CustomerRegistry::class);
 
         $this->customerRepository = Bootstrap::getObjectManager()->get(
             \Magento\Customer\Api\CustomerRepositoryInterface::class,
             ['customerRegistry' => $this->customerRegistry]
         );
-        $this->dataObjectHelper = Bootstrap::getObjectManager()->create(
-            \Magento\Framework\Api\DataObjectHelper::class
-        );
-        $this->customerDataFactory = Bootstrap::getObjectManager()->create(
-            \Magento\Customer\Api\Data\CustomerInterfaceFactory::class
-        );
-        $this->searchCriteriaBuilder = Bootstrap::getObjectManager()->create(
-            \Magento\Framework\Api\SearchCriteriaBuilder::class
-        );
-        $this->sortOrderBuilder = Bootstrap::getObjectManager()->create(
-            \Magento\Framework\Api\SortOrderBuilder::class
-        );
-        $this->filterGroupBuilder = Bootstrap::getObjectManager()->create(
-            \Magento\Framework\Api\Search\FilterGroupBuilder::class
-        );
+        $this->dataObjectHelper = Bootstrap::getObjectManager()->create(DataObjectHelper::class);
+        $this->customerDataFactory = Bootstrap::getObjectManager()->create(CustomerInterfaceFactory::class);
+        $this->searchCriteriaBuilder = Bootstrap::getObjectManager()->create(SearchCriteriaBuilder::class);
+        $this->sortOrderBuilder = Bootstrap::getObjectManager()->create(SortOrderBuilder::class);
+        $this->filterGroupBuilder = Bootstrap::getObjectManager()->create(FilterGroupBuilder::class);
         $this->customerHelper = new CustomerHelper();
 
-        $this->dataObjectProcessor = Bootstrap::getObjectManager()->create(
-            \Magento\Framework\Reflection\DataObjectProcessor::class
-        );
+        $this->dataObjectProcessor = Bootstrap::getObjectManager()->create(DataObjectProcessor::class);
     }
 
     public function tearDown()
@@ -149,10 +147,10 @@ public function tearDown()
     /**
      * Validate update by invalid customer.
      *
-     * @expectedException \Exception
      */
     public function testInvalidCustomerUpdate()
     {
+        $this->expectException(\Exception::class);
         //Create first customer and retrieve customer token.
         $firstCustomerData = $this->_createCustomer();
 
@@ -198,6 +196,31 @@ public function testInvalidCustomerUpdate()
         $this->_webApiCall($serviceInfo, $requestData);
     }
 
+    /**
+     * Create Integration and return token.
+     *
+     * @param string $name
+     * @param array $resource
+     * @return string
+     */
+    private function createIntegrationToken(string $name, array $resource): string
+    {
+        /** @var IntegrationServiceInterface $integrationService */
+        $integrationService = Bootstrap::getObjectManager()->get(IntegrationServiceInterface::class);
+        $oauthService = Bootstrap::getObjectManager()->get(OauthServiceInterface::class);
+        /** @var Integration $integration */
+        $integration = $integrationService->create(
+            [
+                'name' => $name,
+                'resource' => $resource,
+            ]
+        );
+        /** @var OauthServiceInterface $oauthService */
+        $oauthService->createAccessToken($integration->getConsumerId());
+
+        return $integrationService->get($integration->getId())->getToken();
+    }
+
     public function testDeleteCustomer()
     {
         $customerData = $this->_createCustomer();
@@ -228,6 +251,51 @@ public function testDeleteCustomer()
         $this->_getCustomerData($customerData[Customer::ID]);
     }
 
+    /**
+     * Check that non authorized consumer can`t delete customer.
+     *
+     * @return void
+     */
+    public function testDeleteCustomerNonAuthorized(): void
+    {
+        $resource = [
+            'Magento_Customer::customer',
+            'Magento_Customer::manage',
+        ];
+        $token = $this->createIntegrationToken('TestAPI' . bin2hex(random_bytes(5)), $resource);
+
+        $customerData = $this->_createCustomer();
+        $this->currentCustomerId = [];
+
+        $serviceInfo = [
+            'rest' => [
+                'resourcePath' => self::RESOURCE_PATH . '/' . $customerData[Customer::ID],
+                'httpMethod' => Request::HTTP_METHOD_DELETE,
+                'token' => $token,
+            ],
+            'soap' => [
+                'service' => self::SERVICE_NAME,
+                'serviceVersion' => self::SERVICE_VERSION,
+                'operation' => self::SERVICE_NAME . 'DeleteById',
+                'token' => $token,
+            ],
+        ];
+        try {
+            $this->_webApiCall($serviceInfo, ['customerId' => $customerData['id']]);
+            $this->fail("Expected exception is not thrown.");
+        } catch (\SoapFault $e) {
+        } catch (\Exception $e) {
+            $expectedMessage = 'The consumer isn\'t authorized to access %resources.';
+            $errorObj = $this->processRestExceptionResult($e);
+            $this->assertEquals($expectedMessage, $errorObj['message']);
+            $this->assertEquals(['resources' => 'Magento_Customer::delete'], $errorObj['parameters']);
+            $this->assertEquals(HTTPExceptionCodes::HTTP_UNAUTHORIZED, $e->getCode());
+        }
+        /** @var Customer $data */
+        $data = $this->_getCustomerData($customerData[Customer::ID]);
+        $this->assertNotNull($data->getId());
+    }
+
     public function testDeleteCustomerInvalidCustomerId()
     {
         $invalidId = -1;
@@ -485,7 +553,7 @@ public function testCreateCustomerWithoutAddressRequiresException()
      */
     public function testSearchCustomers()
     {
-        $builder = Bootstrap::getObjectManager()->create(\Magento\Framework\Api\FilterBuilder::class);
+        $builder = Bootstrap::getObjectManager()->create(FilterBuilder::class);
         $customerData = $this->_createCustomer();
         $filter = $builder
             ->setField(Customer::EMAIL)
@@ -494,7 +562,7 @@ public function testSearchCustomers()
         $this->searchCriteriaBuilder->addFilters([$filter]);
         $searchData = $this->dataObjectProcessor->buildOutputDataArray(
             $this->searchCriteriaBuilder->create(),
-            \Magento\Framework\Api\SearchCriteriaInterface::class
+            SearchCriteriaInterface::class
         );
         $requestData = ['searchCriteria' => $searchData];
         $serviceInfo = [
@@ -519,7 +587,7 @@ public function testSearchCustomers()
     public function testSearchCustomersUsingGET()
     {
         $this->_markTestAsRestOnly('SOAP test is covered in testSearchCustomers');
-        $builder = Bootstrap::getObjectManager()->create(\Magento\Framework\Api\FilterBuilder::class);
+        $builder = Bootstrap::getObjectManager()->create(FilterBuilder::class);
         $customerData = $this->_createCustomer();
         $filter = $builder
             ->setField(Customer::EMAIL)
@@ -573,7 +641,7 @@ public function testSearchCustomersUsingGETEmptyFilter()
      */
     public function testSearchCustomersMultipleFiltersWithSort()
     {
-        $builder = Bootstrap::getObjectManager()->create(\Magento\Framework\Api\FilterBuilder::class);
+        $builder = Bootstrap::getObjectManager()->create(FilterBuilder::class);
         $customerData1 = $this->_createCustomer();
         $customerData2 = $this->_createCustomer();
         $filter1 = $builder->setField(Customer::EMAIL)
@@ -590,7 +658,7 @@ public function testSearchCustomersMultipleFiltersWithSort()
 
         /**@var \Magento\Framework\Api\SortOrderBuilder $sortOrderBuilder */
         $sortOrderBuilder = Bootstrap::getObjectManager()->create(
-            \Magento\Framework\Api\SortOrderBuilder::class
+            SortOrderBuilder::class
         );
         /** @var SortOrder $sortOrder */
         $sortOrder = $sortOrderBuilder->setField(Customer::EMAIL)->setDirection(SortOrder::SORT_ASC)->create();
@@ -622,7 +690,7 @@ public function testSearchCustomersMultipleFiltersWithSort()
     public function testSearchCustomersMultipleFiltersWithSortUsingGET()
     {
         $this->_markTestAsRestOnly('SOAP test is covered in testSearchCustomers');
-        $builder = Bootstrap::getObjectManager()->create(\Magento\Framework\Api\FilterBuilder::class);
+        $builder = Bootstrap::getObjectManager()->create(FilterBuilder::class);
         $customerData1 = $this->_createCustomer();
         $customerData2 = $this->_createCustomer();
         $filter1 = $builder->setField(Customer::EMAIL)
@@ -658,7 +726,7 @@ public function testSearchCustomersMultipleFiltersWithSortUsingGET()
      */
     public function testSearchCustomersNonExistentMultipleFilters()
     {
-        $builder = Bootstrap::getObjectManager()->create(\Magento\Framework\Api\FilterBuilder::class);
+        $builder = Bootstrap::getObjectManager()->create(FilterBuilder::class);
         $customerData1 = $this->_createCustomer();
         $customerData2 = $this->_createCustomer();
         $filter1 = $filter1 = $builder->setField(Customer::EMAIL)
@@ -696,7 +764,7 @@ public function testSearchCustomersNonExistentMultipleFilters()
     public function testSearchCustomersNonExistentMultipleFiltersGET()
     {
         $this->_markTestAsRestOnly('SOAP test is covered in testSearchCustomers');
-        $builder = Bootstrap::getObjectManager()->create(\Magento\Framework\Api\FilterBuilder::class);
+        $builder = Bootstrap::getObjectManager()->create(FilterBuilder::class);
         $customerData1 = $this->_createCustomer();
         $customerData2 = $this->_createCustomer();
         $filter1 = $filter1 = $builder->setField(Customer::EMAIL)
@@ -732,7 +800,7 @@ public function testSearchCustomersMultipleFilterGroups()
         $customerData1 = $this->_createCustomer();
 
         /** @var \Magento\Framework\Api\FilterBuilder $builder */
-        $builder = Bootstrap::getObjectManager()->create(\Magento\Framework\Api\FilterBuilder::class);
+        $builder = Bootstrap::getObjectManager()->create(FilterBuilder::class);
         $filter1 = $builder->setField(Customer::EMAIL)
             ->setValue($customerData1[Customer::EMAIL])
             ->create();

lib/internal/Magento/Framework/Archive/Zip.php

@@ -53,8 +53,9 @@ public function unpack($source, $destination)
     {
         $zip = new \ZipArchive();
         if ($zip->open($source) === true) {
-            $zip->renameIndex(0, basename($destination));
-            $filename = $zip->getNameIndex(0) ?: '';
+            $baseName = basename($destination);
+            $filename = $this->getFilenameFromZip($zip, $baseName);
+
             if ($filename) {
                 $zip->extractTo(dirname($destination), $filename);
             } else {
@@ -67,4 +68,25 @@ public function unpack($source, $destination)
 
         return $destination;
     }
+
+    /**
+     * Retrieve filename for import from zip archive.
+     *
+     * @param \ZipArchive $zip
+     * @param string $baseName
+     *
+     * @return string
+     */
+    private function getFilenameFromZip(\ZipArchive $zip, string $baseName): string
+    {
+        $index = 0;
+
+        do {
+            $zip->renameIndex($index, $baseName);
+            $filename = $zip->getNameIndex($index);
+            $index++;
+        } while ($baseName !== $filename && $filename !== false);
+
+        return $filename === $baseName ? $filename : '';
+    }
 }