Merge pull request #8161 from magento-cia/cia-2.4.7-beta1-develop-bugfixes-02162023

cia-2.4.7-beta1-develop-bugfixes-02162023

Author: pawan-adobe-security

Diff for: app/code/Magento/Catalog/view/adminhtml/web/js/category-tree.js

@@ -5,10 +5,9 @@
 
 define([
     'jquery',
-    'mageUtils',
     'jquery/ui',
     'jquery/jstree/jquery.jstree'
-], function ($, utils) {
+], function ($) {
     'use strict';
 
     $.widget('mage.categoryTree', {
@@ -87,7 +86,7 @@ define([
             // jscs:disable requireCamelCaseOrUpperCaseIdentifiers
             result = {
                 id: node.id,
-                text: utils.unescape(node.name) + ' (' + node.product_count + ')',
+                text: node.name + ' (' + node.product_count + ')',
                 li_attr: {
                     class: node.cls + (!!node.disabled ? ' disabled' : '') //eslint-disable-line no-extra-boolean-cast
                 },

Diff for: app/code/Magento/Checkout/etc/adminhtml/system.xml

@@ -13,6 +13,11 @@
             <resource>Magento_Checkout::checkout</resource>
             <group id="options" translate="label" type="text" sortOrder="1" showInDefault="1" showInWebsite="1" showInStore="1">
                 <label>Checkout Options</label>
+                <field id="enable_guest_checkout_login" translate="label" type="select" sortOrder="4" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
+                    <label>Enable Guest Checkout Login</label>
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                    <comment>Enabling this setting will allow unauthenticated users to query if an e-mail address is already associated with a customer account. This can be used to enhance the checkout workflow for guests that do not realize they already have an account but comes at the cost of exposing information to unauthenticated users.</comment>
+                </field>
                 <field id="onepage_checkout_enabled" translate="label" type="select" sortOrder="5" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>Enable Onepage Checkout</label>
                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
@@ -23,7 +28,7 @@
                 </field>
                 <field id="display_billing_address_on" translate="label" type="select" sortOrder="20" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>Display Billing Address On</label>
-                    <source_model>\Magento\Checkout\Model\Adminhtml\BillingAddressDisplayOptions</source_model>
+                    <source_model>Magento\Checkout\Model\Adminhtml\BillingAddressDisplayOptions</source_model>
                 </field>
                 <field id="max_items_display_count" translate="label" type="text" sortOrder="30" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>Maximum Number of Items to Display in Order Summary</label>

Diff for: app/code/Magento/Checkout/etc/config.xml

@@ -9,6 +9,7 @@
     <default>
         <checkout>
             <options>
+                <enable_guest_checkout_login>0</enable_guest_checkout_login>
                 <onepage_checkout_enabled>1</onepage_checkout_enabled>
                 <guest_checkout>1</guest_checkout>
                 <display_billing_address_on>0</display_billing_address_on>

Diff for: app/code/Magento/Customer/Api/AccountManagementInterface.php

@@ -8,6 +8,7 @@
 namespace Magento\Customer\Api;
 
 use Magento\Framework\Exception\InputException;
+use Magento\Framework\Exception\LocalizedException;
 
 /**
  * Interface for managing customers accounts.
@@ -194,7 +195,7 @@ public function resendConfirmation($email, $websiteId, $redirectUrl = '');
      * Check if given email is associated with a customer account in given website.
      *
      * @param string $customerEmail
-     * @param int $websiteId If not set, will use the current websiteId
+     * @param int|null $websiteId If not set, will use the current websiteId
      * @return bool
      * @throws \Magento\Framework\Exception\LocalizedException
      */

Diff for: app/code/Magento/Customer/Model/AccountManagement.php

@@ -20,6 +20,7 @@
 use Magento\Customer\Model\Customer as CustomerModel;
 use Magento\Customer\Model\Customer\CredentialsValidator;
 use Magento\Customer\Model\ForgotPasswordToken\GetCustomerByToken;
+use Magento\Customer\Model\Logger as CustomerLogger;
 use Magento\Customer\Model\Metadata\Validator;
 use Magento\Customer\Model\ResourceModel\Visitor\CollectionFactory;
 use Magento\Directory\Model\AllowedCountries;
@@ -57,7 +58,6 @@
 use Magento\Store\Model\ScopeInterface;
 use Magento\Store\Model\StoreManagerInterface;
 use Psr\Log\LoggerInterface as PsrLogger;
-use Magento\Customer\Model\Logger as CustomerLogger;
 
 /**
  * Handle various customer account actions
@@ -69,6 +69,11 @@
  */
 class AccountManagement implements AccountManagementInterface
 {
+    /**
+     * System Configuration Path for Enable/Disable Login at Guest Checkout
+     */
+    public const GUEST_CHECKOUT_LOGIN_OPTION_SYS_CONFIG = 'checkout/options/enable_guest_checkout_login';
+
     /**
      * Configuration paths for create account email template
      *
@@ -719,7 +724,7 @@ private function handleUnknownTemplate($template)
         throw new InputException(
             __(
                 'Invalid value of "%value" provided for the %fieldName field. '
-                    . 'Possible values: %template1 or %template2.',
+                . 'Possible values: %template1 or %template2.',
                 [
                     'value' => $template,
                     'fieldName' => 'template',
@@ -1125,7 +1130,7 @@ public function validate(CustomerInterface $customer)
         $result = $this->eavValidator->isValid($customerModel);
         if ($result === false && is_array($this->eavValidator->getMessages())) {
             return $validationResults->setIsValid(false)->setMessages(
-                // phpcs:ignore Magento2.Functions.DiscouragedFunction
+            // phpcs:ignore Magento2.Functions.DiscouragedFunction
                 call_user_func_array(
                     'array_merge',
                     array_values($this->eavValidator->getMessages())
@@ -1137,9 +1142,24 @@ public function validate(CustomerInterface $customer)
 
     /**
      * @inheritdoc
+     *
+     * @param string $customerEmail
+     * @param int|null $websiteId
+     * @return bool
+     * @throws LocalizedException
      */
     public function isEmailAvailable($customerEmail, $websiteId = null)
     {
+        $guestLoginConfig = $this->scopeConfig->getValue(
+            self::GUEST_CHECKOUT_LOGIN_OPTION_SYS_CONFIG,
+            ScopeInterface::SCOPE_WEBSITE,
+            $websiteId
+        );
+
+        if (!$guestLoginConfig) {
+            return true;
+        }
+
         try {
             if ($websiteId === null) {
                 $websiteId = $this->storeManager->getStore()->getWebsiteId();

Diff for: app/code/Magento/QuoteGraphQl/Model/Resolver/RemoveItemFromCart.php

@@ -86,6 +86,8 @@ public function resolve(Field $field, $context, ResolveInfo $info, array $value
         $itemId = $processedArgs['input']['cart_item_id'];
 
         $storeId = (int)$context->getExtensionAttributes()->getStore()->getId();
+        /** Check if the current user is allowed to perform actions with the cart */
+        $cart = $this->getCartForUser->execute($maskedCartId, $context->getUserId(), $storeId);
 
         try {
             $this->cartItemRepository->deleteById($cartId, $itemId);
@@ -95,7 +97,6 @@ public function resolve(Field $field, $context, ResolveInfo $info, array $value
             throw new GraphQlInputException(__($e->getMessage()), $e);
         }
 
-        $cart = $this->getCartForUser->execute($maskedCartId, $context->getUserId(), $storeId);
         return [
             'cart' => [
                 'model' => $cart,

Diff for: dev/tests/api-functional/testsuite/Magento/Customer/Api/AccountManagementTest.php

@@ -8,10 +8,13 @@
 
 use Magento\Customer\Api\Data\CustomerInterface as Customer;
 use Magento\Customer\Model\AccountManagement;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Webapi\Exception as HTTPExceptionCodes;
 use Magento\Newsletter\Model\Subscriber;
 use Magento\Security\Model\Config;
+use Magento\Store\Model\ScopeInterface;
 use Magento\TestFramework\Helper\Bootstrap;
 use Magento\TestFramework\Helper\Customer as CustomerHelper;
 use Magento\TestFramework\TestCase\WebapiAbstract;
@@ -23,15 +26,20 @@
  */
 class AccountManagementTest extends WebapiAbstract
 {
-    const SERVICE_VERSION = 'V1';
-    const SERVICE_NAME = 'customerAccountManagementV1';
-    const RESOURCE_PATH = '/V1/customers';
+    public const SERVICE_VERSION = 'V1';
+    public const SERVICE_NAME = 'customerAccountManagementV1';
+    public const RESOURCE_PATH = '/V1/customers';
 
     /**
      * Sample values for testing
      */
-    const ATTRIBUTE_CODE = 'attribute_code';
-    const ATTRIBUTE_VALUE = 'attribute_value';
+    public const ATTRIBUTE_CODE = 'attribute_code';
+    public const ATTRIBUTE_VALUE = 'attribute_value';
+
+    /**
+     * @var ObjectManager
+     */
+    private $objectManager;
 
     /**
      * @var AccountManagementInterface
@@ -86,6 +94,8 @@ class AccountManagementTest extends WebapiAbstract
      */
     protected function setUp(): void
     {
+        $this->objectManager = Bootstrap::getObjectManager();
+
         $this->accountManagement = Bootstrap::getObjectManager()->get(
             \Magento\Customer\Api\AccountManagementInterface::class
         );
@@ -645,6 +655,7 @@ public function testIsReadonly()
 
     public function testEmailAvailable()
     {
+        $config = $this->objectManager->get(ScopeConfigInterface::class);
         $customerData = $this->_createCustomer();
 
         $serviceInfo = [
@@ -662,7 +673,18 @@ public function testEmailAvailable()
             'customerEmail' => $customerData[Customer::EMAIL],
             'websiteId' => $customerData[Customer::WEBSITE_ID],
         ];
-        $this->assertFalse($this->_webApiCall($serviceInfo, $requestData));
+
+        $emailSetting = $config->getValue(
+            AccountManagement::GUEST_CHECKOUT_LOGIN_OPTION_SYS_CONFIG,
+            ScopeInterface::SCOPE_WEBSITE,
+            $customerData[Customer::WEBSITE_ID]
+        );
+
+        if (!$emailSetting) {
+            $this->assertTrue($this->_webApiCall($serviceInfo, $requestData));
+        } else {
+            $this->assertFalse($this->_webApiCall($serviceInfo, $requestData));
+        }
     }
 
     public function testEmailAvailableInvalidEmail()

Diff for: dev/tests/api-functional/testsuite/Magento/GraphQl/Customer/IsEmailAvailableTest.php

@@ -7,13 +7,37 @@
 
 namespace Magento\GraphQl\Customer;
 
+use Magento\Customer\Model\AccountManagement;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Store\Api\StoreResolverInterface;
+use Magento\Store\Model\ScopeInterface;
+use Magento\TestFramework\Helper\Bootstrap;
 use Magento\TestFramework\TestCase\GraphQlAbstract;
 
 /**
  * Test email availability functionality
  */
 class IsEmailAvailableTest extends GraphQlAbstract
 {
+    /**
+     * @var ScopeConfigInterface
+     */
+    private ScopeConfigInterface $scopeConfig;
+
+    /**
+     * @var string
+     */
+    private string $storeId;
+
+    public function setUp(): void
+    {
+        $objectManager = Bootstrap::getObjectManager();
+        $this->scopeConfig = $objectManager->get(ScopeConfigInterface::class);
+        /* @var StoreResolverInterface $storeResolver */
+        $storeResolver = $objectManager->get(StoreResolverInterface::class);
+        $this->storeId = $storeResolver->getCurrentStoreId();
+    }
+
     /**
      * @magentoApiDataFixture Magento/Customer/_files/customer.php
      */
@@ -31,7 +55,16 @@ public function testEmailNotAvailable()
 
         self::assertArrayHasKey('isEmailAvailable', $response);
         self::assertArrayHasKey('is_email_available', $response['isEmailAvailable']);
-        self::assertFalse($response['isEmailAvailable']['is_email_available']);
+        $emailConfig = $this->scopeConfig->getValue(
+            AccountManagement::GUEST_CHECKOUT_LOGIN_OPTION_SYS_CONFIG,
+            ScopeInterface::SCOPE_STORE,
+            $this->storeId
+        );
+        if (!$emailConfig) {
+            self::assertTrue($response['isEmailAvailable']['is_email_available']);
+        } else {
+            self::assertFalse($response['isEmailAvailable']['is_email_available']);
+        }
     }
 
     /**

Diff for: dev/tests/api-functional/testsuite/Magento/GraphQl/Newsletter/Customer/SubscribeEmailToNewsletterTest.php

@@ -8,11 +8,14 @@
 namespace Magento\GraphQl\Newsletter\Customer;
 
 use Exception;
+use Magento\Customer\Model\AccountManagement;
 use Magento\Customer\Model\CustomerAuthUpdate;
 use Magento\Customer\Model\CustomerRegistry;
+use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\Framework\Exception\AuthenticationException;
 use Magento\Integration\Api\CustomerTokenServiceInterface;
 use Magento\Newsletter\Model\ResourceModel\Subscriber as SubscriberResourceModel;
+use Magento\Store\Model\ScopeInterface;
 use Magento\TestFramework\Helper\Bootstrap;
 use Magento\TestFramework\TestCase\GraphQlAbstract;
 
@@ -40,13 +43,18 @@ class SubscribeEmailToNewsletterTest extends GraphQlAbstract
      * @var SubscriberResourceModel
      */
     private $subscriberResource;
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfig;
 
     /**
      * @inheritDoc
      */
     protected function setUp(): void
     {
         $objectManager = Bootstrap::getObjectManager();
+        $this->scopeConfig = $objectManager->get(ScopeConfigInterface::class);
         $this->customerAuthUpdate = Bootstrap::getObjectManager()->get(CustomerAuthUpdate::class);
         $this->customerRegistry = Bootstrap::getObjectManager()->get(CustomerRegistry::class);
         $this->customerTokenService = $objectManager->get(CustomerTokenServiceInterface::class);
@@ -146,10 +154,17 @@ public function testNewsletterSubscriptionWithAnotherCustomerEmail()
     {
         $query = $this->getQuery('[email protected]');
 
-        $this->expectException(Exception::class);
-        $this->expectExceptionMessage('Cannot create a newsletter subscription.' . "\n");
-
-        $this->graphQlMutation($query, [], '', $this->getHeaderMap('[email protected]'));
+        $guestLoginConfig = $this->scopeConfig->getValue(
+            AccountManagement::GUEST_CHECKOUT_LOGIN_OPTION_SYS_CONFIG,
+            ScopeInterface::SCOPE_WEBSITE,
+            1
+        );
+
+        if ($guestLoginConfig) {
+            $this->expectException(Exception::class);
+            $this->expectExceptionMessage('Cannot create a newsletter subscription.' . "\n");
+            $this->graphQlMutation($query, [], '', $this->getHeaderMap('[email protected]'));
+        }
     }
 
     /**