From b7746aabb3db4be9584654e1694fc45a9c149301 Mon Sep 17 00:00:00 2001
From: Yurii Muratov <ymuratov@oroinc.com>
Date: Fri, 2 Jun 2023 18:04:10 +0300
Subject: [PATCH] BB-22505: Fix totals checkout data (#35643)

---
 .../Frontend/AjaxCheckoutController.php       |  2 ++
 .../Frontend/AjaxCheckoutControllerTest.php   | 28 +++++++++++++------
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/Oro/Bundle/CheckoutBundle/Controller/Frontend/AjaxCheckoutController.php b/src/Oro/Bundle/CheckoutBundle/Controller/Frontend/AjaxCheckoutController.php
index 3eb54966a85..ab06afb77b9 100644
--- a/src/Oro/Bundle/CheckoutBundle/Controller/Frontend/AjaxCheckoutController.php
+++ b/src/Oro/Bundle/CheckoutBundle/Controller/Frontend/AjaxCheckoutController.php
@@ -35,9 +35,11 @@ public function getTotalsAction(Request $request, $entityId)
         /** @var Checkout $checkout */
         $checkout = $this->getDoctrine()->getManagerForClass(Checkout::class)
             ->getRepository(Checkout::class)->getCheckoutWithRelations($entityId);
+
         if (!$checkout) {
             return new JsonResponse('', Response::HTTP_NOT_FOUND);
         }
+        $this->denyAccessUnlessGranted('EDIT', $checkout);
 
         $this->setCorrectCheckoutShippingMethodData($checkout, $request);
 
diff --git a/src/Oro/Bundle/CheckoutBundle/Tests/Functional/Controller/Frontend/AjaxCheckoutControllerTest.php b/src/Oro/Bundle/CheckoutBundle/Tests/Functional/Controller/Frontend/AjaxCheckoutControllerTest.php
index 2a37abc34f7..fe6297f5a7e 100644
--- a/src/Oro/Bundle/CheckoutBundle/Tests/Functional/Controller/Frontend/AjaxCheckoutControllerTest.php
+++ b/src/Oro/Bundle/CheckoutBundle/Tests/Functional/Controller/Frontend/AjaxCheckoutControllerTest.php
@@ -18,7 +18,7 @@ protected function setUp(): void
     {
         $this->initClient(
             [],
-            $this->generateBasicAuthHeader(LoadCustomerUserData::EMAIL, LoadCustomerUserData::PASSWORD)
+            self::generateBasicAuthHeader(LoadCustomerUserData::EMAIL, LoadCustomerUserData::PASSWORD)
         );
         $this->setCurrentWebsite('default');
         $this->loadFixtures(
@@ -35,25 +35,37 @@ protected function setUp(): void
         );
     }
 
-    public function testGetTotalsActionNotFound()
+    public function testGetTotalsActionNotFound(): void
     {
         $this->client->request('GET', $this->getUrl('oro_checkout_frontend_totals', ['entityId' => 0]));
         $result = $this->client->getResponse();
-        $this->assertJsonResponseStatusCodeEquals($result, 404);
+        self::assertJsonResponseStatusCodeEquals($result, 404);
     }
 
-    public function testGetTotalsAction()
+    public function testGetTotalsAction(): void
     {
-        $checkout = $this->getReference(LoadShoppingListsCheckoutsData::CHECKOUT_1);
+        $checkout = $this->getReference(LoadShoppingListsCheckoutsData::CHECKOUT_7);
 
         $this->client->request(
             'GET',
             $this->getUrl('oro_checkout_frontend_totals', ['entityId' => $checkout->getId()])
         );
         $result = $this->client->getResponse();
-        $this->assertJsonResponseStatusCodeEquals($result, 200);
+        self::assertJsonResponseStatusCodeEquals($result, 200);
         $result = json_decode($result->getContent(), true);
-        $this->assertArrayHasKey('total', $result);
-        $this->assertArrayHasKey('subtotals', $result);
+        self::assertArrayHasKey('total', $result);
+        self::assertArrayHasKey('subtotals', $result);
+    }
+
+    public function testGetTotalsActionOfAnotherCustomerUser(): void
+    {
+        $checkout = $this->getReference(LoadShoppingListsCheckoutsData::CHECKOUT_1);
+
+        $this->client->request(
+            'GET',
+            $this->getUrl('oro_checkout_frontend_totals', ['entityId' => $checkout->getId()])
+        );
+        $result = $this->client->getResponse();
+        self::assertEquals(403, $result->getStatusCode());
     }
 }