From 89123c9b452daa5b7b7db760265289032921d84f Mon Sep 17 00:00:00 2001
From: Marek Rzytki <rzytki7@gmail.com>
Date: Wed, 8 May 2024 11:15:12 +0200
Subject: [PATCH 1/3] Restrict wishlist access for logged users

---
 .../Action/ShowChosenWishlistAction.php          | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/Controller/Action/ShowChosenWishlistAction.php b/src/Controller/Action/ShowChosenWishlistAction.php
index 13bf28dd..1f6d600f 100644
--- a/src/Controller/Action/ShowChosenWishlistAction.php
+++ b/src/Controller/Action/ShowChosenWishlistAction.php
@@ -57,7 +57,7 @@ public function __construct(
         WishlistCookieTokenResolverInterface $wishlistCookieTokenResolver,
         TokenStorageInterface $tokenStorage,
         TokenUserResolverInterface $tokenUserResolver,
-    ) {
+        ) {
         $this->wishlistRepository = $wishlistRepository;
         $this->cartContext = $cartContext;
         $this->formFactory = $formFactory;
@@ -74,15 +74,23 @@ public function __invoke(string $wishlistId, Request $request): Response
         $token = $this->tokenStorage->getToken();
 
         /** @var WishlistInterface $wishlist */
-        $wishlist = $this->wishlistRepository->find((int)$wishlistId);
+        $wishlist = $this->wishlistRepository->find((int) $wishlistId);
         $wishlistCookieToken = $this->wishlistCookieTokenResolver->resolve();
 
         $user = $this->tokenUserResolver->resolve($token);
 
+        /** @var ?ShopUserInterface $wishlistUser */
+        $wishlistUser = $wishlist->getShopUser();
+
+        if (null !== $wishlistUser && $user !== $wishlistUser) {
+            return new RedirectResponse($this->urlGenerator->generate('bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists'));
+        }
+
         if ($wishlist instanceof WishlistInterface && $user instanceof ShopUserInterface
         || $wishlist instanceof WishlistInterface && $wishlist->getToken() === $wishlistCookieToken
-            && $wishlist->getShopUser() === null) {
+            && null === $wishlistUser) {
             $form = $this->createForm($wishlist);
+
             return new Response(
                 $this->twigEnvironment->render('@BitBagSyliusWishlistPlugin/WishlistDetails/index.html.twig', [
                     'wishlist' => $wishlist,
@@ -91,7 +99,7 @@ public function __invoke(string $wishlistId, Request $request): Response
             );
         }
 
-        return new RedirectResponse($this->urlGenerator->generate("bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists"));
+        return new RedirectResponse($this->urlGenerator->generate('bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists'));
     }
 
     private function createForm(WishlistInterface $wishlist): FormInterface

From c1a720cd79855f14da8fb3ba9ab935ba0f0c4370 Mon Sep 17 00:00:00 2001
From: Marek Rzytki <rzytki7@gmail.com>
Date: Tue, 21 May 2024 10:31:16 +0200
Subject: [PATCH 2/3] FIx ecs and php stan

---
 src/Controller/Action/ShowChosenWishlistAction.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/Controller/Action/ShowChosenWishlistAction.php b/src/Controller/Action/ShowChosenWishlistAction.php
index 151ee2eb..3f9288f5 100644
--- a/src/Controller/Action/ShowChosenWishlistAction.php
+++ b/src/Controller/Action/ShowChosenWishlistAction.php
@@ -51,18 +51,22 @@ public function __invoke(string $wishlistId, Request $request): Response
         $wishlist = $this->wishlistRepository->find((int) $wishlistId);
         $wishlistCookieToken = $this->wishlistCookieTokenResolver->resolve();
 
+        if (null === $wishlist) {
+            return new RedirectResponse($this->urlGenerator->generate('bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists'));
+        }
+
         $user = $this->tokenUserResolver->resolve($token);
 
         /** @var ?ShopUserInterface $wishlistUser */
         $wishlistUser = $wishlist->getShopUser();
 
-        if (null !== $wishlistUser && $user !== $wishlistUser) {
+        if ($user !== $wishlistUser) {
             return new RedirectResponse($this->urlGenerator->generate('bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists'));
         }
 
-        if ($wishlist instanceof WishlistInterface && $user instanceof ShopUserInterface
-        || $wishlist instanceof WishlistInterface && $wishlist->getToken() === $wishlistCookieToken
-            && null === $wishlistUser) {
+        if ($user instanceof ShopUserInterface ||
+            $wishlist->getToken() === $wishlistCookieToken && null === $wishlistUser
+        ) {
             $form = $this->createForm($wishlist);
 
             return new Response(

From f91b72d549a53600a18cea9546c9c5e05159ae03 Mon Sep 17 00:00:00 2001
From: Marek Rzytki <rzytki7@gmail.com>
Date: Wed, 22 May 2024 12:48:36 +0200
Subject: [PATCH 3/3] Add behat scenario for restrict wishlist access

---
 ...ting_access_to_other_user_wishlist.feature | 22 ++++++++++++
 tests/Behat/Context/Ui/WishlistContext.php    | 36 +++++++++++++++++++
 tests/Behat/Page/Shop/Wishlist/IndexPage.php  | 22 ++++++++++++
 .../Page/Shop/Wishlist/IndexPageInterface.php | 18 ++++++++++
 tests/Behat/Resources/services.yml            |  7 ++++
 5 files changed, 105 insertions(+)
 create mode 100644 features/restricting_access_to_other_user_wishlist.feature
 create mode 100644 tests/Behat/Page/Shop/Wishlist/IndexPage.php
 create mode 100644 tests/Behat/Page/Shop/Wishlist/IndexPageInterface.php

diff --git a/features/restricting_access_to_other_user_wishlist.feature b/features/restricting_access_to_other_user_wishlist.feature
new file mode 100644
index 00000000..e8cd8b09
--- /dev/null
+++ b/features/restricting_access_to_other_user_wishlist.feature
@@ -0,0 +1,22 @@
+@wishlist
+Feature: Restricting access to other's user wishlist
+  In order to restrict access to other users wishlists
+  As a System
+  I want to be able to restrict access to other users wishlists
+
+  Background:
+    Given the store operates on a single channel in "United States"
+    And there is a customer account "jdeer@sylius.pl"
+    And there is a customer account "jdeer2@sylius.pl"
+    And user "jdeer@sylius.pl" has a wishlist named "Wishlist1" with token "123456token"
+    And user "jdeer2@sylius.pl" has a wishlist named "Wishlist2" with token "123456token"
+
+  @ui
+  Scenario: Restricting access to other users wishlist
+    When I go to "/"
+    And I log in as "jdeer@sylius.pl"
+    And I go to "/wishlists"
+    Then I should have 1 wishlists
+    When I try to access "jdeer2@sylius.pl" wishlist "Wishlist2"
+    Then I should still be on wishlist index page
+
diff --git a/tests/Behat/Context/Ui/WishlistContext.php b/tests/Behat/Context/Ui/WishlistContext.php
index 6531bcff..93b9d657 100644
--- a/tests/Behat/Context/Ui/WishlistContext.php
+++ b/tests/Behat/Context/Ui/WishlistContext.php
@@ -15,6 +15,7 @@
 use Behat\MinkExtension\Context\RawMinkContext;
 use BitBag\SyliusWishlistPlugin\Entity\Wishlist;
 use BitBag\SyliusWishlistPlugin\Entity\WishlistInterface;
+use BitBag\SyliusWishlistPlugin\Exception\WishlistNotFoundException;
 use BitBag\SyliusWishlistPlugin\Repository\WishlistRepositoryInterface;
 use Sylius\Behat\NotificationType;
 use Sylius\Behat\Service\NotificationCheckerInterface;
@@ -23,13 +24,16 @@
 use Sylius\Component\Channel\Repository\ChannelRepositoryInterface;
 use Sylius\Component\Core\Model\ProductInterface;
 use Sylius\Component\Core\Model\ProductVariantInterface;
+use Sylius\Component\Core\Model\ShopUserInterface;
 use Sylius\Component\Core\Repository\ProductRepositoryInterface;
 use Sylius\Component\Product\Resolver\ProductVariantResolverInterface;
+use Sylius\Component\Resource\Repository\RepositoryInterface;
 use Symfony\Component\Routing\Exception\ResourceNotFoundException;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Routing\RouterInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\ProductIndexPageInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\ProductShowPageInterface;
+use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist\IndexPageInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\WishlistPageInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Service\LoginerInterface;
 use Tests\BitBag\SyliusWishlistPlugin\Behat\Service\WishlistCreatorInterface;
@@ -52,6 +56,8 @@ public function __construct(
         private SharedStorageInterface $sharedStorage,
         private CookieSetterInterface $cookieSetter,
         private ChannelRepositoryInterface $channelRepository,
+        private RepositoryInterface $shopUserRepository,
+        private IndexPageInterface $wishlistIndexPage,
     ) {
     }
 
@@ -311,6 +317,36 @@ public function iOpenChosenWishlist(string $wishlistName): void
         $this->wishlistPage->showChosenWishlist($wishlistName);
     }
 
+    /**
+     * @Then I try to access :email wishlist :wishlistName
+     */
+    public function iTryToAccessCustomerWishlist(string $email, string $wishlistName): void
+    {
+        /** @var ?ShopUserInterface $shopUser */
+        $shopUser = $this->shopUserRepository->findOneBy(['username' => $email]);
+
+        if (null === $shopUser) {
+            throw new ResourceNotFoundException();
+        }
+
+        /** @var ?WishlistInterface $wishlist */
+        $wishlist = $this->wishlistRepository->findOneByShopUserAndName($shopUser, $wishlistName);
+
+        if (null === $wishlist) {
+            throw new WishlistNotFoundException();
+        }
+
+        $this->visitPath('/wishlists/' . $wishlist->getId());
+    }
+
+    /**
+     * @Then I should still be on wishlist index page
+     */
+    public function iShouldStillBeOnWishlistIndexPage(): void
+    {
+        $this->wishlistIndexPage->verify();
+    }
+
     /**
      * @When I remove selected products from wishlist
      */
diff --git a/tests/Behat/Page/Shop/Wishlist/IndexPage.php b/tests/Behat/Page/Shop/Wishlist/IndexPage.php
new file mode 100644
index 00000000..f128f5b3
--- /dev/null
+++ b/tests/Behat/Page/Shop/Wishlist/IndexPage.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file has been created by developers from BitBag.
+ * Feel free to contact us once you face any issues or want to start
+ * You can find more information about us on https://bitbag.io and write us
+ * an email on hello@bitbag.io.
+ */
+
+declare(strict_types=1);
+
+namespace Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist;
+
+use FriendsOfBehat\PageObjectExtension\Page\SymfonyPage;
+
+final class IndexPage extends SymfonyPage implements IndexPageInterface
+{
+    public function getRouteName(): string
+    {
+        return 'bitbag_sylius_wishlist_plugin_shop_locale_wishlist_list_wishlists';
+    }
+}
diff --git a/tests/Behat/Page/Shop/Wishlist/IndexPageInterface.php b/tests/Behat/Page/Shop/Wishlist/IndexPageInterface.php
new file mode 100644
index 00000000..b9336baa
--- /dev/null
+++ b/tests/Behat/Page/Shop/Wishlist/IndexPageInterface.php
@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * This file has been created by developers from BitBag.
+ * Feel free to contact us once you face any issues or want to start
+ * You can find more information about us on https://bitbag.io and write us
+ * an email on hello@bitbag.io.
+ */
+
+declare(strict_types=1);
+
+namespace Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist;
+
+use FriendsOfBehat\PageObjectExtension\Page\SymfonyPageInterface;
+
+interface IndexPageInterface extends SymfonyPageInterface
+{
+}
diff --git a/tests/Behat/Resources/services.yml b/tests/Behat/Resources/services.yml
index 7752b01e..a0119cd6 100644
--- a/tests/Behat/Resources/services.yml
+++ b/tests/Behat/Resources/services.yml
@@ -33,12 +33,19 @@ services:
             - "@sylius.behat.shared_storage"
             - "@sylius.behat.cookie_setter"
             - "@sylius.repository.channel"
+            - "@sylius.repository.shop_user"
+            - "@bitbag_wishlist_plugin.behat.page.wishlist.index_page"
 
     bitbag_sylius_cms_plugin.behat.page.shop.wishlist:
         class: Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\WishlistPage
         parent: sylius.behat.symfony_page
         public: false
 
+    bitbag_wishlist_plugin.behat.page.wishlist.index_page:
+        class: Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\Wishlist\IndexPage
+        parent: sylius.behat.symfony_page
+        public: false
+
     bitbag_sylius_cms_plugin.behat.page.shop.product_index:
         class: Tests\BitBag\SyliusWishlistPlugin\Behat\Page\Shop\ProductIndexPage
         parent: sylius.behat.page.shop.product.index