Fix failing checkoutCustomerAttach mutation (#9401)

* Fix failing checkoutCustomerAttach mutation when performed by app without customerId provided * Update changelog * Fix changelog Co-authored-by: Marcin Gębala <5421321+maarcingebala@users.noreply.github.com> Co-authored-by: Marcin Gębala <maarcin.gebala@gmail.com>
saleor · Mar 25, 2022 · 80e94d3 · 80e94d3
1 parent 316a598
commit 80e94d3
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 41 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,7 +15,7 @@ All notable, unreleased changes to this project will be documented in this file.
   instead.
 
 ### Other changes
-...
+- Fix failing `checkoutCustomerAttach` mutation - #9401 by @IKarbowiak
 
 
 # 3.1.7

diff --git a/saleor/graphql/checkout/mutations/checkout_customer_attach.py b/saleor/graphql/checkout/mutations/checkout_customer_attach.py
@@ -1,4 +1,5 @@
 import graphene
+from django.forms import ValidationError
 
 from ....checkout.error_codes import CheckoutErrorCode
 from ....core.exceptions import PermissionDenied
@@ -70,6 +71,16 @@ def perform_mutation(
                     permissions=[AccountPermissions.IMPERSONATE_USER]
                 )
             customer = cls.get_node_or_error(info, customer_id, only_type="User")
+        elif info.context.user.is_anonymous:
+            raise ValidationError(
+                {
+                    "customer_id": ValidationError(
+                        "The customerId value must be provided "
+                        "when running mutation as app.",
+                        code=CheckoutErrorCode.REQUIRED.value,
+                    )
+                }
+            )
         else:
             customer = info.context.user
 

diff --git a/saleor/graphql/checkout/tests/test_checkout.py b/saleor/graphql/checkout/tests/test_checkout.py
@@ -2326,31 +2326,60 @@ def test_create_checkout_with_unpublished_product(
     assert error["code"] == CheckoutErrorCode.PRODUCT_NOT_PUBLISHED.name
 
 
+MUTATION_CHECKOUT_CUSTOMER_ATTACH = """
+    mutation checkoutCustomerAttach($token: UUID, $customerId: ID) {
+        checkoutCustomerAttach(token: $token, customerId: $customerId) {
+            checkout {
+                token
+            }
+            errors {
+                code
+                field
+                message
+            }
+        }
+    }
+"""
+
+
 def test_checkout_customer_attach(
-    api_client, user_api_client, checkout_with_item, customer_user
+    user_api_client, checkout_with_item, customer_user, permission_impersonate_user
 ):
     checkout = checkout_with_item
     checkout.email = "old@email.com"
     checkout.save()
     assert checkout.user is None
     previous_last_change = checkout.last_change
 
-    query = """
-        mutation checkoutCustomerAttach($token: UUID) {
-            checkoutCustomerAttach(token: $token) {
-                checkout {
-                    token
-                }
-                errors {
-                    field
-                    message
-                }
-            }
-        }
-    """
+    query = MUTATION_CHECKOUT_CUSTOMER_ATTACH
     customer_id = graphene.Node.to_global_id("User", customer_user.pk)
     variables = {"token": checkout.token, "customerId": customer_id}
 
+    response = user_api_client.post_graphql(
+        query, variables, permissions=[permission_impersonate_user]
+    )
+    content = get_graphql_content(response)
+
+    data = content["data"]["checkoutCustomerAttach"]
+    assert not data["errors"]
+    checkout.refresh_from_db()
+    assert checkout.user == customer_user
+    assert checkout.email == customer_user.email
+    assert checkout.last_change != previous_last_change
+
+
+def test_checkout_customer_attach_no_customer_id(
+    api_client, user_api_client, checkout_with_item, customer_user
+):
+    checkout = checkout_with_item
+    checkout.email = "old@email.com"
+    checkout.save()
+    assert checkout.user is None
+    previous_last_change = checkout.last_change
+
+    query = MUTATION_CHECKOUT_CUSTOMER_ATTACH
+    variables = {"token": checkout.token}
+
     # Mutation should fail for unauthenticated customers
     response = api_client.post_graphql(query, variables)
     assert_no_permission(response)
@@ -2375,19 +2404,7 @@ def test_checkout_customer_attach_by_app(
     assert checkout.user is None
     previous_last_change = checkout.last_change
 
-    query = """
-        mutation checkoutCustomerAttach($token: UUID, $customerId: ID) {
-            checkoutCustomerAttach(token: $token, customerId: $customerId) {
-                checkout {
-                    token
-                }
-                errors {
-                    field
-                    message
-                }
-            }
-        }
-    """
+    query = MUTATION_CHECKOUT_CUSTOMER_ATTACH
     customer_id = graphene.Node.to_global_id("User", customer_user.pk)
     variables = {"token": checkout.token, "customerId": customer_id}
 
@@ -2404,6 +2421,31 @@ def test_checkout_customer_attach_by_app(
     assert checkout.last_change != previous_last_change
 
 
+def test_checkout_customer_attach_by_app_no_customer_id(
+    app_api_client, checkout_with_item, permission_impersonate_user
+):
+    checkout = checkout_with_item
+    checkout.email = "old@email.com"
+    checkout.save()
+    assert checkout.user is None
+
+    query = MUTATION_CHECKOUT_CUSTOMER_ATTACH
+    variables = {"token": checkout.token}
+
+    # Mutation should succeed for authenticated customer
+    response = app_api_client.post_graphql(
+        query,
+        variables,
+        permissions=[permission_impersonate_user],
+        check_no_permissions=False,
+    )
+    content = get_graphql_content(response)
+    data = content["data"]["checkoutCustomerAttach"]
+    assert len(data["errors"]) == 1
+    assert data["errors"][0]["code"] == CheckoutErrorCode.REQUIRED.name
+    assert data["errors"][0]["field"] == "customerId"
+
+
 def test_checkout_customer_attach_by_app_without_permission(
     app_api_client, checkout_with_item, customer_user
 ):
@@ -2412,19 +2454,7 @@ def test_checkout_customer_attach_by_app_without_permission(
     checkout.save()
     assert checkout.user is None
 
-    query = """
-        mutation checkoutCustomerAttach($token: UUID, $customerId: ID) {
-            checkoutCustomerAttach(token: $token, customerId: $customerId) {
-                checkout {
-                    token
-                }
-                errors {
-                    field
-                    message
-                }
-            }
-        }
-    """
+    query = MUTATION_CHECKOUT_CUSTOMER_ATTACH
     customer_id = graphene.Node.to_global_id("User", customer_user.pk)
     variables = {"token": checkout.token, "customerId": customer_id}