Merge pull request from GHSA-rpxh-vg2x-526v

[API][Shop] Hide order list details for guest users

features/account/customer_account/viewing_orders_history/viewing_only_my_orders.feature

@@ -9,17 +9,23 @@ Feature: Viewing orders on my account page
         And the store has "Angel T-Shirt" and "Green Arrow" products
         And the store ships everywhere for free
         And the store allows paying with "Cash on Delivery"
-        And I am a logged in customer
-        And I placed an order "#00000666"
-        And I bought a single "Angel T-Shirt"
-        And I addressed it to "Lucifer Morningstar", "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
-        And I chose "Free" shipping method with "Cash on Delivery" payment
         And there is another customer "oliver@teamarrow.com" that placed an order "#00000999"
         And the customer bought a single "Green Arrow"
         And the customer "Oliver Queen" addressed it to "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
+        And the customer chose "Free" shipping method with "Cash on Delivery" payment
 
     @ui @api
     Scenario: Viewing orders
+        Given I am a logged in customer
+        And I placed an order "#00000666"
+        And I bought a single "Angel T-Shirt"
+        And I addressed it to "Lucifer Morningstar", "Seaside Fwy", "90802" "Los Angeles" in the "United States" with identical billing address
+        And I chose "Free" shipping method with "Cash on Delivery" payment
         When I browse my orders
         Then I should see a single order in the list
         And this order should have "#00000666" number
+
+    @api
+    Scenario: Viewing orders
+        When I browse my orders
+        Then I should be denied an access to order list

src/Sylius/Behat/Context/Api/Shop/OrderContext.php

@@ -298,6 +298,14 @@ public function iShouldNotBeAbleToSeeThatOrder(): void
         Assert::false($this->responseChecker->isShowSuccessful($this->client->getLastResponse()));
     }
 
+    /**
+     * @Then I should be denied an access to order list
+     */
+    public function iShouldDeniedAnAccessToOrderList(): void
+    {
+        Assert::true($this->responseChecker->hasAccessDenied($this->client->getLastResponse()));
+    }
+
     /**
      * @Then I should have :paymentMethod payment method on my order
      */

src/Sylius/Bundle/ApiBundle/Doctrine/QueryCollectionExtension/OrdersByLoggedInUserExtension.php

@@ -17,9 +17,11 @@
 use ApiPlatform\Core\Bridge\Doctrine\Orm\Util\QueryNameGeneratorInterface;
 use Doctrine\ORM\QueryBuilder;
 use Sylius\Bundle\ApiBundle\Context\UserContextInterface;
+use Sylius\Component\Core\Model\AdminUserInterface;
 use Sylius\Component\Core\Model\CustomerInterface;
 use Sylius\Component\Core\Model\OrderInterface;
 use Sylius\Component\Core\Model\ShopUserInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 
 /** @experimental */
 final class OrdersByLoggedInUserExtension implements ContextAwareQueryCollectionExtensionInterface
@@ -50,6 +52,11 @@ public function applyToCollection(
         ;
 
         $user = $this->userContext->getUser();
+
+        if ($user instanceof AdminUserInterface) {
+            return;
+        }
+
         if ($user instanceof ShopUserInterface) {
             /** @var CustomerInterface $customer */
             $customer = $user->getCustomer();
@@ -59,5 +66,7 @@ public function applyToCollection(
                 ->setParameter('customer', $customer)
             ;
         }
+
+        throw new AccessDeniedException();
     }
 }