minor #505 Returning 401 on customer details/update actions when not …

…logged in (JakobTolkemit) This PR was merged into the 1.0-dev branch. Discussion ---------- The `LoggedInCustomerDetailsAction` and the `UpdateCustomerAction` now return an unauthorized response instead of throwing `TokenNotFoundException` if the user is not logged in. Commits ------- c2c28c3 Returning 401 on customer details/update actions without being logged in b0940e7 Fixed & added tests 9f1c095 Updated swagger
Sylius · Jul 31, 2019 · 3e49756 · 3e49756
2 parents 0afc8bd + 9f1c095
commit 3e49756
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 7 deletions.
diff --git a/doc/swagger.yml b/doc/swagger.yml
@@ -841,8 +841,8 @@ paths:
                     description: "Provides currently logged in user details."
                     schema:
                         $ref: "#/definitions/LoggedInCustomerDetails"
-                500:
-                    description: "There is no currently logged in user."
+                401:
+                    description: "User token invalid"
             security:
                 -   bearerAuth: []
         put:
@@ -862,9 +862,7 @@ paths:
                     schema:
                         $ref: "#/definitions/LoggedInCustomerDetails"
                 401:
-                    description: "User token is invalid."
-                500:
-                    description: "There is no currently logged in user."
+                    description: "User token invalid"
             security:
                 -   bearerAuth: []
 

diff --git a/src/Controller/Customer/LoggedInCustomerDetailsAction.php b/src/Controller/Customer/LoggedInCustomerDetailsAction.php
@@ -35,6 +35,10 @@ public function __construct(
 
     public function __invoke(Request $request): Response
     {
+        if (!$this->loggedInShopUserProvider->isUserLoggedIn()) {
+            return $this->viewHandler->handle(View::create(null, Response::HTTP_UNAUTHORIZED));
+        }
+
         $customer = $this->loggedInShopUserProvider->provide()->getCustomer();
         Assert::notNull($customer);
 

diff --git a/src/Controller/Customer/UpdateCustomerAction.php b/src/Controller/Customer/UpdateCustomerAction.php
@@ -54,6 +54,10 @@ public function __construct(
 
     public function __invoke(Request $request): Response
     {
+        if (!$this->loggedInUserProvider->isUserLoggedIn()) {
+            return $this->viewHandler->handle(View::create(null, Response::HTTP_UNAUTHORIZED));
+        }
+
         $validationResults = $this->updateCustomerCommandProvider->validate($request, null, ['sylius_customer_profile_update']);
         if (0 !== count($validationResults)) {
             return $this->viewHandler->handle(View::create(

diff --git a/tests/Controller/Customer/LoggedInCustomerDetailsActionTest.php b/tests/Controller/Customer/LoggedInCustomerDetailsActionTest.php
@@ -17,7 +17,7 @@ public function it_shows_currently_logged_in_customer_details(): void
         $this->loadFixturesFromFiles(['channel.yml', 'customer.yml']);
 
         $data =
-<<<JSON
+            <<<JSON
         {
             "email": "oliver@queen.com",
             "password": "123password"
@@ -37,4 +37,28 @@ public function it_shows_currently_logged_in_customer_details(): void
         $response = $this->client->getResponse();
         $this->assertResponse($response, 'customer/logged_in_customer_details_response', Response::HTTP_OK);
     }
+
+    /**
+     * @test
+     */
+    public function it_does_not_allow_to_show_customer_details_without_being_logged_in(): void
+    {
+        $this->loadFixturesFromFiles(['channel.yml', 'customer.yml']);
+
+        $data =
+            <<<JSON
+        {
+            "email": "oliver@queen.com",
+            "password": "123password"
+        }
+JSON;
+
+        $this->client->request('GET', '/shop-api/me', [], [], [
+            'CONTENT_TYPE' => 'application/json',
+            'ACCEPT' => 'application/json',
+        ]);
+
+        $response = $this->client->getResponse();
+        $this->assertResponseCode($response, Response::HTTP_UNAUTHORIZED);
+    }
 }
diff --git a/tests/Controller/Customer/UpdateCustomerApiTest.php b/tests/Controller/Customer/UpdateCustomerApiTest.php
@@ -75,7 +75,7 @@ public function it_does_not_allow_to_update_customer_without_being_logged_in():
 JSON;
         $this->client->request('PUT', '/shop-api/me', [], [], self::CONTENT_TYPE_HEADER, $data);
         $response = $this->client->getResponse();
-        $this->assertResponseCode($response, Response::HTTP_INTERNAL_SERVER_ERROR);
+        $this->assertResponseCode($response, Response::HTTP_UNAUTHORIZED);
     }
 
     /**