From 746ccfa26838bbd185dbba51136a119cdef31c6d Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 21 Apr 2020 17:40:59 +1000 Subject: [PATCH] Resolve security vulnerability with Synchronize Customers feature All customers are requested to download and instal this release the extension. --- .../community/Zendesk/Zendesk/Helper/Sync.php | 42 +++----- .../Zendesk/Zendesk/Model/Api/Users.php | 32 +++--- .../Zendesk/Zendesk/Model/Customer.php | 4 +- .../Zendesk/Zendesk/Model/Observer.php | 102 +----------------- 4 files changed, 32 insertions(+), 148 deletions(-) diff --git a/src/app/code/community/Zendesk/Zendesk/Helper/Sync.php b/src/app/code/community/Zendesk/Zendesk/Helper/Sync.php index 0de0e14a..7f0a68a7 100644 --- a/src/app/code/community/Zendesk/Zendesk/Helper/Sync.php +++ b/src/app/code/community/Zendesk/Zendesk/Helper/Sync.php @@ -2,14 +2,14 @@ class Zendesk_Zendesk_Helper_Sync extends Mage_Core_Helper_Abstract { - public function getCustomerData($customer){ + public function syncCustomer($customer){ if(!Mage::getStoreConfig('zendesk/general/customer_sync')) return; $user = null; - $email = $customer->getEmail(); - $origEmail = $customer->getOrigData(); - $origEmail = $origEmail['email']; + $currentEmail = $customer->getEmail(); + $previousCustomerData = $customer->getOrigData(); + $previousEmail = $previousCustomerData['email']; //Get Customer Group $groupId = $customer->getGroupId(); $group = Mage::getModel('customer/group')->load($groupId); @@ -48,7 +48,7 @@ public function getCustomerData($customer){ $info['user'] = array( "name" => $customer->getFirstname() . " " . $customer->getLastname(), - "email" => $email, + "email" => $currentEmail, "user_fields" => array( "group" => $group->getCode(), "name" => $customer->getFirstname() . " " . $customer->getLastname(), @@ -59,36 +59,20 @@ public function getCustomerData($customer){ ) ); - if($origEmail && $origEmail !== $email) { - $user = Mage::getModel('zendesk/api_users')->find($origEmail); - - if(isset($user['id'])) { - $data['identity'] = array( - 'type' => 'email', - 'value' => $email, - 'verified' => true - ); - $identity = Mage::getModel('zendesk/api_users')->addIdentity($user['id'],$data); - if(isset($identity['id'])) { - Mage::getModel('zendesk/api_users')->setPrimaryIdentity($user['id'], $identity['id']); - } + $user = Mage::getModel('zendesk/api_users')->find($currentEmail); + if($previousEmail !== $currentEmail) { + if(!isset($user['id'])) { + $user = $this->createAccount($info); } } - if(!$user) { - $user = Mage::getModel('zendesk/api_users')->find($email); - } - if(isset($user['id'])) { - $this->syncData($info); - } else { - $info['user']['verified'] = true; - $user = Mage::getModel('zendesk/api_users')->create($info); - } return $user; } - private function syncData($info) + private function createAccount($data) { - Mage::getModel('zendesk/api_users')->create($info); + $data['user']['verified'] = false; + $user = Mage::getModel('zendesk/api_users')->create($data); + return $user; } } diff --git a/src/app/code/community/Zendesk/Zendesk/Model/Api/Users.php b/src/app/code/community/Zendesk/Zendesk/Model/Api/Users.php index 63ef4f8f..5104551c 100644 --- a/src/app/code/community/Zendesk/Zendesk/Model/Api/Users.php +++ b/src/app/code/community/Zendesk/Zendesk/Model/Api/Users.php @@ -55,56 +55,50 @@ public function all() { $page = 1; $users = array(); - + while($page && $response = $this->_call('users.json?page=' . $page)) { $users = array_merge($users, $response['users']); $page = is_null($response['next_page']) ? 0 : $page + 1; } - + return $users; } - + public function end($id) { if(!Zend_Validate::is($id, 'NotEmpty')) { throw new InvalidArgumentException('No ID value provided'); } - + $response = $this->_call('end_users/'. $id .'.json'); - + return (isset($response['user']) ? $response['user'] : null); } - + public function getIdentities($id) { $response = $this->_call('users/' . $id . '/identities.json'); return (isset($response['identities']) ? $response['identities'] : null); } - - public function setPrimaryIdentity($user_id, $identity_id) - { - $response = $this->_call('users/' . $user_id . '/identities/'.$identity_id.'/make_primary.json', null, 'PUT', null, true); - return (isset($response['identities']) ? $response['identities'] : null); - } - + public function addIdentity($user_id, $data) { $response = $this->_call('users/' . $user_id . '/identities.json', null, 'POST', $data, true); return (isset($response['identity']) ? $response['identity'] : null); } - + public function update($user_id, $user) { $response = $this->_call('users/' . $user_id . '.json', null, 'PUT', $user, true); return (isset($response['user']) ? $response['user'] : null); } - + public function create($user) { $response = $this->_call('users.json', null, 'POST', $user, true); return (isset($response['user']) ? $response['user'] : null); } - + public function createUserField($field) { $response = $this->_call('user_fields.json', null, 'POST', $field, true); @@ -112,13 +106,13 @@ public function createUserField($field) if(!isset($response['user_field'])) { throw new Exception('No User Field specified.'); } - + return $response['user_field']; } /** * Fetch all user fields - * + * * @return array $userFields */ public function getUserFields() @@ -129,7 +123,7 @@ public function getUserFields() $userFields = array_merge($userFields, $response['user_fields']); $page = is_null($response['next_page']) ? 0 : $page + 1; } - + return $userFields; } } diff --git a/src/app/code/community/Zendesk/Zendesk/Model/Customer.php b/src/app/code/community/Zendesk/Zendesk/Model/Customer.php index c60705b6..93c13214 100644 --- a/src/app/code/community/Zendesk/Zendesk/Model/Customer.php +++ b/src/app/code/community/Zendesk/Zendesk/Model/Customer.php @@ -14,7 +14,7 @@ public function syncronize(){ Mage::log('Synchronization started', null, 'zendesk.log'); try { Mage::log('Synchronizing customer with id '.$customer->getId(), null, 'zendesk.log'); - $customerData = Mage::helper('zendesk/sync')->getCustomerData($customer); + $customerData = Mage::helper('zendesk/sync')->syncCustomer($customer); $zendeskId = $customerData['id']; $customer->setZendeskId($zendeskId); $customer->save(); @@ -25,8 +25,6 @@ public function syncronize(){ return; } Mage::log('Synchronization completed successfully', null, 'zendesk.log'); - - } } } diff --git a/src/app/code/community/Zendesk/Zendesk/Model/Observer.php b/src/app/code/community/Zendesk/Zendesk/Model/Observer.php index b2f878f1..9d5ee93a 100644 --- a/src/app/code/community/Zendesk/Zendesk/Model/Observer.php +++ b/src/app/code/community/Zendesk/Zendesk/Model/Observer.php @@ -104,110 +104,18 @@ public function addTicketButton(Varien_Event_Observer $event) )); } } - + public function changeIdentity(Varien_Event_Observer $event) { - if(!Mage::getStoreConfig('zendesk/general/customer_sync')) - return; - - $user = null; $customer = $event->getCustomer(); - $email = $customer->getEmail(); - $orig_email = $customer->getOrigData(); - $orig_email = $orig_email['email']; - - //Get Customer Group - $group_id = $customer->getGroupId(); - $group = Mage::getModel('customer/group')->load($group_id); - - //Get Customer Last Login Date - $log_customer = Mage::getModel('log/customer')->loadByCustomer($customer); - if ($log_customer->getLoginAt()) - $logged_in = date("Y-m-d\TH:i:s\Z",strtotime($log_customer->getLoginAt())); - else - $logged_in = ""; - - //Get Customer Sales Statistics - $order_totals = Mage::getResourceModel('sales/order_collection'); - $lifetime_sale = 0; - $average_sale = 0; - - if (is_object($order_totals)) { - $order_totals - ->addFieldToFilter('customer_id', $customer->getId()) - ->addFieldToFilter('status', Mage_Sales_Model_Order::STATE_COMPLETE); - - $order_totals->getSelect() - ->reset(Zend_Db_Select::COLUMNS) - ->columns(new Zend_Db_Expr("SUM(grand_total) as total")) - ->columns(new Zend_Db_Expr("AVG(grand_total) as avg_total")) - ->group('customer_id'); - - if (count($order_totals) > 0) { - $sum = (float) $order_totals->getFirstItem()->getTotal(); - $avg = (float) $order_totals->getFirstItem()->getAvgTotal(); - - $lifetime_sale = Mage::helper('core')->currency($sum, true, false); - $average_sale = Mage::helper('core')->currency($avg, true, false); - } - } - - $info['user'] = array( - "name" => $customer->getFirstname() . " " . $customer->getLastname(), - "email" => $email, - "user_fields" => array( - "group" => $group->getCode(), - "name" => $customer->getFirstname() . " " . $customer->getLastname(), - "id" => $customer->getId(), - "logged_in" => $logged_in, - "average_sale" => $average_sale, - "lifetime_sale" => $lifetime_sale - ) - ); - - if($orig_email && $orig_email !== $email) { - $user = Mage::getModel('zendesk/api_users')->find($orig_email); - - if(isset($user['id'])) { - $data['identity'] = array( - 'type' => 'email', - 'value' => $email, - 'verified' => true - ); - $identity = Mage::getModel('zendesk/api_users')->addIdentity($user['id'],$data); - if(isset($identity['id'])) { - Mage::getModel('zendesk/api_users')->setPrimaryIdentity($user['id'], $identity['id']); - } - } - } - - if(!$user) { - $user = Mage::getModel('zendesk/api_users')->find($email); - } - - if(isset($user['id'])) { - $this->syncData($user['id'], $info); - } else { - $info['user']['verified'] = true; - $this->createAccount($info); - } - } - - public function syncData($user_id, $data) - { - Mage::getModel('zendesk/api_users')->update($user_id, $data); + Mage::helper('zendesk/sync')->syncCustomer($customer); } - - public function createAccount($data) - { - Mage::getModel('zendesk/api_users')->create($data); - } - + public function checkSsoRedirect($user) { if ( - Mage::helper('zendesk')->isSSOAdminUsersEnabled() && - Mage::app()->getRequest()->getControllerName() === 'zendesk' && + Mage::helper('zendesk')->isSSOAdminUsersEnabled() && + Mage::app()->getRequest()->getControllerName() === 'zendesk' && Mage::app()->getRequest()->getActionName() === 'authenticate' ) { Mage::app()->getResponse()