Merge pull request #3255 from magento-qwerty/2.3-bugfixes-031018

[Qwerty] Bugfixes

app/code/Magento/Customer/Api/AccountManagementInterface.php

@@ -7,6 +7,8 @@
 
 namespace Magento\Customer\Api;
 
+use Magento\Framework\Exception\InputException;
+
 /**
  * Interface for managing customers accounts.
  * @api
@@ -144,19 +146,24 @@ public function initiatePasswordReset($email, $template, $websiteId = null);
     /**
      * Reset customer password.
      *
-     * @param string $email
+     * @param string $email If empty value given then the customer
+     * will be matched by the RP token.
      * @param string $resetToken
      * @param string $newPassword
+     *
      * @return bool true on success
      * @throws \Magento\Framework\Exception\LocalizedException
+     * @throws InputException
      */
     public function resetPassword($email, $resetToken, $newPassword);
 
     /**
      * Check if password reset token is valid.
      *
-     * @param int $customerId
+     * @param int $customerId If null is given then a customer
+     * will be matched by the RP token.
      * @param string $resetPasswordLinkToken
+     *
      * @return bool True if the token is valid
      * @throws \Magento\Framework\Exception\State\InputMismatchException If token is mismatched
      * @throws \Magento\Framework\Exception\State\ExpiredException If token is expired

app/code/Magento/Customer/Controller/Account/CreatePassword.php

@@ -1,17 +1,22 @@
 <?php
 /**
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
 namespace Magento\Customer\Controller\Account;
 
 use Magento\Customer\Api\AccountManagementInterface;
 use Magento\Customer\Model\Session;
+use Magento\Framework\App\Action\HttpGetActionInterface;
 use Magento\Framework\View\Result\PageFactory;
 use Magento\Framework\App\Action\Context;
 
-class CreatePassword extends \Magento\Customer\Controller\AbstractAccount
+/**
+ * Class CreatePassword
+ *
+ * @package Magento\Customer\Controller\Account
+ */
+class CreatePassword extends \Magento\Customer\Controller\AbstractAccount implements HttpGetActionInterface
 {
     /**
      * @var \Magento\Customer\Api\AccountManagementInterface
@@ -54,27 +59,27 @@ public function __construct(
     public function execute()
     {
         $resetPasswordToken = (string)$this->getRequest()->getParam('token');
-        $customerId = (int)$this->getRequest()->getParam('id');
-        $isDirectLink = $resetPasswordToken != '' && $customerId != 0;
+        $isDirectLink = $resetPasswordToken != '';
         if (!$isDirectLink) {
             $resetPasswordToken = (string)$this->session->getRpToken();
-            $customerId = (int)$this->session->getRpCustomerId();
         }
 
         try {
-            $this->accountManagement->validateResetPasswordLinkToken($customerId, $resetPasswordToken);
+            $this->accountManagement->validateResetPasswordLinkToken(null, $resetPasswordToken);
 
             if ($isDirectLink) {
                 $this->session->setRpToken($resetPasswordToken);
-                $this->session->setRpCustomerId($customerId);
                 $resultRedirect = $this->resultRedirectFactory->create();
                 $resultRedirect->setPath('*/*/createpassword');
+
                 return $resultRedirect;
             } else {
                 /** @var \Magento\Framework\View\Result\Page $resultPage */
                 $resultPage = $this->resultPageFactory->create();
-                $resultPage->getLayout()->getBlock('resetPassword')->setCustomerId($customerId)
+                $resultPage->getLayout()
+                    ->getBlock('resetPassword')
                     ->setResetPasswordLinkToken($resetPasswordToken);
+
                 return $resultPage;
             }
         } catch (\Exception $exception) {

app/code/Magento/Customer/Controller/Account/EditPost.php

@@ -22,6 +22,7 @@
 use Magento\Customer\Model\CustomerExtractor;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\Escaper;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\InvalidEmailOrPasswordException;
 use Magento\Framework\Exception\State\UserLockedException;
@@ -79,28 +80,36 @@ class EditPost extends AbstractAccount implements CsrfAwareActionInterface, Http
      */
     private $customerMapper;
 
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $customerAccountManagement
      * @param CustomerRepositoryInterface $customerRepository
      * @param Validator $formKeyValidator
      * @param CustomerExtractor $customerExtractor
+     * @param Escaper|null $escaper
      */
     public function __construct(
         Context $context,
         Session $customerSession,
         AccountManagementInterface $customerAccountManagement,
         CustomerRepositoryInterface $customerRepository,
         Validator $formKeyValidator,
-        CustomerExtractor $customerExtractor
+        CustomerExtractor $customerExtractor,
+        ?Escaper $escaper = null
     ) {
         parent::__construct($context);
         $this->session = $customerSession;
         $this->customerAccountManagement = $customerAccountManagement;
         $this->customerRepository = $customerRepository;
         $this->formKeyValidator = $formKeyValidator;
         $this->customerExtractor = $customerExtractor;
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(Escaper::class);
     }
 
     /**
@@ -196,7 +205,7 @@ public function execute()
                 $this->messageManager->addSuccess(__('You saved the account information.'));
                 return $resultRedirect->setPath('customer/account');
             } catch (InvalidEmailOrPasswordException $e) {
-                $this->messageManager->addError($e->getMessage());
+                $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
             } catch (UserLockedException $e) {
                 $message = __(
                     'The account sign-in was incorrect or your account is disabled temporarily. '
@@ -207,9 +216,9 @@ public function execute()
                 $this->messageManager->addError($message);
                 return $resultRedirect->setPath('customer/account/login');
             } catch (InputException $e) {
-                $this->messageManager->addError($e->getMessage());
+                $this->messageManager->addErrorMessage($this->escaper->escapeHtml($e->getMessage()));
                 foreach ($e->getErrors() as $error) {
-                    $this->messageManager->addError($error->getMessage());
+                    $this->messageManager->addErrorMessage($this->escaper->escapeHtml($error->getMessage()));
                 }
             } catch (\Magento\Framework\Exception\LocalizedException $e) {
                 $this->messageManager->addError($e->getMessage());

app/code/Magento/Customer/Controller/Account/ResetPasswordPost.php

@@ -1,6 +1,5 @@
 <?php
 /**
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
@@ -10,11 +9,16 @@
 use Magento\Customer\Api\CustomerRepositoryInterface;
 use Magento\Customer\Model\Session;
 use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Framework\Exception\InputException;
 use Magento\Customer\Model\Customer\CredentialsValidator;
-use Magento\Framework\App\ObjectManager;
 
-class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount
+/**
+ * Class ResetPasswordPost
+ *
+ * @package Magento\Customer\Controller\Account
+ */
+class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount implements HttpPostActionInterface
 {
     /**
      * @var \Magento\Customer\Api\AccountManagementInterface
@@ -31,17 +35,14 @@ class ResetPasswordPost extends \Magento\Customer\Controller\AbstractAccount
      */
     protected $session;
 
-    /**
-     * @var CredentialsValidator
-     */
-    private $credentialsValidator;
-
     /**
      * @param Context $context
      * @param Session $customerSession
      * @param AccountManagementInterface $accountManagement
      * @param CustomerRepositoryInterface $customerRepository
      * @param CredentialsValidator|null $credentialsValidator
+     *
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
     public function __construct(
         Context $context,
@@ -53,8 +54,6 @@ public function __construct(
         $this->session = $customerSession;
         $this->accountManagement = $accountManagement;
         $this->customerRepository = $customerRepository;
-        $this->credentialsValidator = $credentialsValidator ?: ObjectManager::getInstance()
-            ->get(CredentialsValidator::class);
         parent::__construct($context);
     }
 
@@ -70,29 +69,32 @@ public function execute()
         /** @var \Magento\Framework\Controller\Result\Redirect $resultRedirect */
         $resultRedirect = $this->resultRedirectFactory->create();
         $resetPasswordToken = (string)$this->getRequest()->getQuery('token');
-        $customerId = (int)$this->getRequest()->getQuery('id');
         $password = (string)$this->getRequest()->getPost('password');
         $passwordConfirmation = (string)$this->getRequest()->getPost('password_confirmation');
 
         if ($password !== $passwordConfirmation) {
             $this->messageManager->addError(__("New Password and Confirm New Password values didn't match."));
-            $resultRedirect->setPath('*/*/createPassword', ['id' => $customerId, 'token' => $resetPasswordToken]);
+            $resultRedirect->setPath('*/*/createPassword', ['token' => $resetPasswordToken]);
+
             return $resultRedirect;
         }
         if (iconv_strlen($password) <= 0) {
             $this->messageManager->addError(__('Please enter a new password.'));
-            $resultRedirect->setPath('*/*/createPassword', ['id' => $customerId, 'token' => $resetPasswordToken]);
+            $resultRedirect->setPath('*/*/createPassword', ['token' => $resetPasswordToken]);
+
             return $resultRedirect;
         }
 
         try {
-            $customerEmail = $this->customerRepository->getById($customerId)->getEmail();
-            $this->credentialsValidator->checkPasswordDifferentFromEmail($customerEmail, $password);
-            $this->accountManagement->resetPassword($customerEmail, $resetPasswordToken, $password);
+            $this->accountManagement->resetPassword(
+                null,
+                $resetPasswordToken,
+                $password
+            );
             $this->session->unsRpToken();
-            $this->session->unsRpCustomerId();
             $this->messageManager->addSuccess(__('You updated your password.'));
             $resultRedirect->setPath('*/*/login');
+
             return $resultRedirect;
         } catch (InputException $e) {
             $this->messageManager->addError($e->getMessage());
@@ -102,7 +104,8 @@ public function execute()
         } catch (\Exception $exception) {
             $this->messageManager->addError(__('Something went wrong while saving the new password.'));
         }
-        $resultRedirect->setPath('*/*/createPassword', ['id' => $customerId, 'token' => $resetPasswordToken]);
+        $resultRedirect->setPath('*/*/createPassword', ['token' => $resetPasswordToken]);
+
         return $resultRedirect;
     }
 }