custom/plugins/SwagPlatformSecurity/src/Fixes/NEXT15183/SecurityFix.php line 55

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace Swag\Security\Fixes\NEXT15183;
  5. use Shopware\Core\Checkout\Cart\Exception\CustomerNotLoggedInException;
  6. use Shopware\Core\Framework\DataAbstractionLayer\EntityRepositoryInterface;
  7. use Shopware\Core\Framework\DataAbstractionLayer\Exception\EntityNotFoundException;
  8. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  9. use Shopware\Core\Framework\DataAbstractionLayer\Search\Filter\EqualsFilter;
  10. use Shopware\Core\Framework\Routing\KernelListenerPriorities;
  11. use Shopware\Core\PlatformRequest;
  12. use Shopware\Core\System\SalesChannel\SalesChannelContext;
  13. use Swag\Security\Components\AbstractSecurityFix;
  14. use Symfony\Component\HttpFoundation\JsonResponse;
  15. use Symfony\Component\HttpFoundation\Response;
  16. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  17. use Symfony\Component\HttpKernel\KernelEvents;
  19. class SecurityFix extends AbstractSecurityFix
  20. {
  21.     /**
  22.      * @var EntityRepositoryInterface
  23.      */
  24.     private $orderRepository;
  26.     public function __construct(EntityRepositoryInterface $orderRepository)
  27.     {
  28.         $this->orderRepository $orderRepository;
  29.     }
  31.     public static function getTicket(): string
  32.     {
  33.         return 'NEXT-15183';
  34.     }
  36.     public static function getMinVersion(): string
  37.     {
  38.         return '6.2.0';
  39.     }
  41.     public static function getMaxVersion(): ?string
  42.     {
  43.         return '6.4.0.0';
  44.     }
  46.     public static function getSubscribedEvents(): array
  47.     {
  48.         return [
  49.             KernelEvents::CONTROLLER => [
  50.                 'onKernelRequest'KernelListenerPriorities::KERNEL_CONTROLLER_EVENT_CONTEXT_RESOLVE
  51.             ]
  52.         ];
  53.     }
  55.     public function onKernelRequest(ControllerEvent $event): void
  56.     {
  57.         $request $event->getRequest();
  59.         if (
  60.             $request->attributes->get('_route') !== 'store-api.order.state.cancel' &&
  61.             $request->attributes->get('_route') !== 'store-api.order.state.cancel.major_fallback'
  62.         ) {
  63.             return;
  64.         }
  66.         $orderId $request->get('orderId');
  67.         $context $request->attributes->get(PlatformRequest::ATTRIBUTE_SALES_CHANNEL_CONTEXT_OBJECT);
  69.         if ($orderId === null || ! $context instanceof SalesChannelContext) {
  70.             return;
  71.         }
  73.         if ($context->getCustomer() === null) {
  74.             throw new CustomerNotLoggedInException();
  75.         }
  77.         $criteria = new Criteria([$orderId]);
  78.         $criteria->addFilter(new EqualsFilter('orderCustomer.customerId'$context->getCustomer()->getId()));
  80.         if ($this->orderRepository->searchIds($criteria$context->getContext())->firstId() === null) {
  81.             $event->setController(function () {
  82.                 return new Response(''Response::HTTP_NOT_FOUND);
  83.             });
  84.         }
  85.     }
  86. }