Merge pull request #250 from BitBagCommerce/feature/op-185-restrict-w…

…ishlist-access-for-logged-users

OP-185/Restrict wishlist access for logged users

features/restricting_access_to_other_user_wishlist.feature

@@ -0,0 +1,22 @@
+@wishlist
+Feature: Restricting access to other's user wishlist
+  In order to restrict access to other users wishlists
+  As a System
+  I want to be able to restrict access to other users wishlists
+
+  Background:
+    Given the store operates on a single channel in "United States"
+    And there is a customer account "[email protected]"
+    And there is a customer account "[email protected]"
+    And user "[email protected]" has a wishlist named "Wishlist1" with token "123456token"
+    And user "[email protected]" has a wishlist named "Wishlist2" with token "123456token"
+
+  @ui
+  Scenario: Restricting access to other users wishlist
+    When I go to "/"
+    And I log in as "[email protected]"
+    And I go to "/wishlists"
+    Then I should have 1 wishlists
+    When I try to access "[email protected]" wishlist "Wishlist2"
+    Then I should still be on wishlist index page
+

src/Controller/Action/ShowChosenWishlistAction.php

@@ -51,11 +51,22 @@ public function __invoke(string $wishlistId, Request $request): Response
         $wishlist = $this->wishlistRepository->find((int) $wishlistId);
         $wishlistCookieToken = $this->wishlistCookieTokenResolver->resolve();
 
+        if (null === $wishlist) {
+            return new RedirectResponse($this->urlGenerator->generate('bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists'));
+        }
+
         $user = $this->tokenUserResolver->resolve($token);
 
-        if ($wishlist instanceof WishlistInterface && $user instanceof ShopUserInterface ||
-        $wishlist instanceof WishlistInterface && $wishlist->getToken() === $wishlistCookieToken &&
-            null === $wishlist->getShopUser()) {
+        /** @var ?ShopUserInterface $wishlistUser */
+        $wishlistUser = $wishlist->getShopUser();
+
+        if ($user !== $wishlistUser) {
+            return new RedirectResponse($this->urlGenerator->generate('bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists'));
+        }
+
+        if ($user instanceof ShopUserInterface ||
+            $wishlist->getToken() === $wishlistCookieToken && null === $wishlistUser
+        ) {
             $form = $this->createForm($wishlist);
 
             return new Response(

tests/Behat/Context/Ui/WishlistContext.php

@@ -15,6 +15,7 @@
 use Behat\MinkExtension\Context\RawMinkContext;
 use BitBag\SyliusWishlistPlugin\Entity\Wishlist;
 use BitBag\SyliusWishlistPlugin\Entity\WishlistInterface;
+use BitBag\SyliusWishlistPlugin\Exception\WishlistNotFoundException;
 use BitBag\SyliusWishlistPlugin\Repository\WishlistRepositoryInterface;
 use Sylius\Behat\NotificationType;
 use Sylius\Behat\Service\NotificationCheckerInterface;
@@ -23,13 +24,16 @@
 use Sylius\Component\Channel\Repository\ChannelRepositoryInterface;
 use Sylius\Component\Core\Model\ProductInterface;
 use Sylius\Component\Core\Model\ProductVariantInterface;
+use Sylius\Component\Core\Model\ShopUserInterface;
 use Sylius\Component\Core\Repository\ProductRepositoryInterface;
 use Sylius\Component\Product\Resolver\ProductVariantResolverInterface;
+use Sylius\Component\Resource\Repository\RepositoryInterface;
 use Symfony\Component\Routing\Exception\ResourceNotFoundException;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Routing\RouterInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\ProductIndexPageInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\ProductShowPageInterface;
+use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist\IndexPageInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\WishlistPageInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Service\LoginerInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Service\WishlistCreatorInterface;
@@ -52,6 +56,8 @@ public function __construct(
         private SharedStorageInterface $sharedStorage,
         private CookieSetterInterface $cookieSetter,
         private ChannelRepositoryInterface $channelRepository,
+        private RepositoryInterface $shopUserRepository,
+        private IndexPageInterface $wishlistIndexPage,
     ) {
     }
 
@@ -322,6 +328,36 @@ public function iOpenChosenWishlist(string $wishlistName): void
         $this->wishlistPage->showChosenWishlist($wishlistName);
     }
 
+    /**
+     * @Then I try to access :email wishlist :wishlistName
+     */
+    public function iTryToAccessCustomerWishlist(string $email, string $wishlistName): void
+    {
+        /** @var ?ShopUserInterface $shopUser */
+        $shopUser = $this->shopUserRepository->findOneBy(['username' => $email]);
+
+        if (null === $shopUser) {
+            throw new ResourceNotFoundException();
+        }
+
+        /** @var ?WishlistInterface $wishlist */
+        $wishlist = $this->wishlistRepository->findOneByShopUserAndName($shopUser, $wishlistName);
+
+        if (null === $wishlist) {
+            throw new WishlistNotFoundException();
+        }
+
+        $this->visitPath('/wishlists/' . $wishlist->getId());
+    }
+
+    /**
+     * @Then I should still be on wishlist index page
+     */
+    public function iShouldStillBeOnWishlistIndexPage(): void
+    {
+        $this->wishlistIndexPage->verify();
+    }
+
     /**
      * @When I remove selected products from wishlist
      */

tests/Behat/Page/Shop/Wishlist/IndexPage.php

@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file has been created by developers from BitBag.
+ * Feel free to contact us once you face any issues or want to start
+ * You can find more information about us on https://bitbag.io and write us
+ * an email on [email protected].
+ */
+
+declare(strict_types=1);
+
+namespace Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist;
+
+use FriendsOfBehat\PageObjectExtension\Page\SymfonyPage;
+
+final class IndexPage extends SymfonyPage implements IndexPageInterface
+{
+    public function getRouteName(): string
+    {
+        return 'bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists';
+    }
+}

tests/Behat/Page/Shop/Wishlist/IndexPageInterface.php

@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * This file has been created by developers from BitBag.
+ * Feel free to contact us once you face any issues or want to start
+ * You can find more information about us on https://bitbag.io and write us
+ * an email on [email protected].
+ */
+
+declare(strict_types=1);
+
+namespace Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist;
+
+use FriendsOfBehat\PageObjectExtension\Page\SymfonyPageInterface;
+
+interface IndexPageInterface extends SymfonyPageInterface
+{
+}

tests/Behat/Resources/services.yml

@@ -33,12 +33,19 @@ services:
             - "@sylius.behat.shared_storage"
             - "@sylius.behat.cookie_setter"
             - "@sylius.repository.channel"
+            - "@sylius.repository.shop_user"
+            - "@bitbag_wishlist_plugin.behat.page.wishlist.index_page"
 
     bitbag_sylius_cms_plugin.behat.page.shop.wishlist:
         class: Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\WishlistPage
         parent: sylius.behat.symfony_page
         public: false
 
+    bitbag_wishlist_plugin.behat.page.wishlist.index_page:
+        class: Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist\IndexPage
+        parent: sylius.behat.symfony_page
+        public: false
+
     bitbag_sylius_cms_plugin.behat.page.shop.product_index:
         class: Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\ProductIndexPage
         parent: sylius.behat.page.shop.product.index