Skip to content

Commit

Permalink
Resolve security vulnerability with Synchronize Customers feature
Browse files Browse the repository at this point in the history 
All customers are requested to download and instal this release the extension.
  • Loading branch information
@yoshdog
yoshdog committed Apr 24, 2020
1 parent 564e238 commit 746ccfa
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 148 deletions.
42 changes: 13 additions & 29 deletions src/app/code/community/Zendesk/Zendesk/Helper/Sync.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

class Zendesk_Zendesk_Helper_Sync extends Mage_Core_Helper_Abstract {

public function getCustomerData($customer){
public function syncCustomer($customer){
if(!Mage::getStoreConfig('zendesk/general/customer_sync'))
return;

$user = null;
$email = $customer->getEmail();
$origEmail = $customer->getOrigData();
$origEmail = $origEmail['email'];
$currentEmail = $customer->getEmail();
$previousCustomerData = $customer->getOrigData();
$previousEmail = $previousCustomerData['email'];
//Get Customer Group
$groupId = $customer->getGroupId();
$group = Mage::getModel('customer/group')->load($groupId);
Expand Down Expand Up @@ -48,7 +48,7 @@ public function getCustomerData($customer){

$info['user'] = array(
"name" => $customer->getFirstname() . " " . $customer->getLastname(),
"email" => $email,
"email" => $currentEmail,
"user_fields" => array(
"group" => $group->getCode(),
"name" => $customer->getFirstname() . " " . $customer->getLastname(),
Expand All @@ -59,36 +59,20 @@ public function getCustomerData($customer){
)
);

if($origEmail && $origEmail !== $email) {
$user = Mage::getModel('zendesk/api_users')->find($origEmail);

if(isset($user['id'])) {
$data['identity'] = array(
'type' => 'email',
'value' => $email,
'verified' => true
);
$identity = Mage::getModel('zendesk/api_users')->addIdentity($user['id'],$data);
if(isset($identity['id'])) {
Mage::getModel('zendesk/api_users')->setPrimaryIdentity($user['id'], $identity['id']);
}
$user = Mage::getModel('zendesk/api_users')->find($currentEmail);
if($previousEmail !== $currentEmail) {
if(!isset($user['id'])) {
$user = $this->createAccount($info);
}
}
if(!$user) {
$user = Mage::getModel('zendesk/api_users')->find($email);
}

if(isset($user['id'])) {
$this->syncData($info);
} else {
$info['user']['verified'] = true;
$user = Mage::getModel('zendesk/api_users')->create($info);
}
return $user;
}

private function syncData($info)
private function createAccount($data)
{
Mage::getModel('zendesk/api_users')->create($info);
$data['user']['verified'] = false;
$user = Mage::getModel('zendesk/api_users')->create($data);
return $user;
}
}
32 changes: 13 additions & 19 deletions src/app/code/community/Zendesk/Zendesk/Model/Api/Users.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,70 +55,64 @@ public function all()
{
$page = 1;
$users = array();

while($page && $response = $this->_call('users.json?page=' . $page)) {
$users = array_merge($users, $response['users']);
$page = is_null($response['next_page']) ? 0 : $page + 1;
}

return $users;
}

public function end($id)
{
if(!Zend_Validate::is($id, 'NotEmpty')) {
throw new InvalidArgumentException('No ID value provided');
}

$response = $this->_call('end_users/'. $id .'.json');

return (isset($response['user']) ? $response['user'] : null);
}

public function getIdentities($id)
{
$response = $this->_call('users/' . $id . '/identities.json');
return (isset($response['identities']) ? $response['identities'] : null);
}

public function setPrimaryIdentity($user_id, $identity_id)
{
$response = $this->_call('users/' . $user_id . '/identities/'.$identity_id.'/make_primary.json', null, 'PUT', null, true);
return (isset($response['identities']) ? $response['identities'] : null);
}


public function addIdentity($user_id, $data)
{
$response = $this->_call('users/' . $user_id . '/identities.json', null, 'POST', $data, true);
return (isset($response['identity']) ? $response['identity'] : null);
}

public function update($user_id, $user)
{
$response = $this->_call('users/' . $user_id . '.json', null, 'PUT', $user, true);
return (isset($response['user']) ? $response['user'] : null);
}

public function create($user)
{
$response = $this->_call('users.json', null, 'POST', $user, true);
return (isset($response['user']) ? $response['user'] : null);
}

public function createUserField($field)
{
$response = $this->_call('user_fields.json', null, 'POST', $field, true);

if(!isset($response['user_field'])) {
throw new Exception('No User Field specified.');
}

return $response['user_field'];
}

/**
* Fetch all user fields
*
*
* @return array $userFields
*/
public function getUserFields()
Expand All @@ -129,7 +123,7 @@ public function getUserFields()
$userFields = array_merge($userFields, $response['user_fields']);
$page = is_null($response['next_page']) ? 0 : $page + 1;
}

return $userFields;
}
}
4 changes: 1 addition & 3 deletions src/app/code/community/Zendesk/Zendesk/Model/Customer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ public function syncronize(){
Mage::log('Synchronization started', null, 'zendesk.log');
try {
Mage::log('Synchronizing customer with id '.$customer->getId(), null, 'zendesk.log');
$customerData = Mage::helper('zendesk/sync')->getCustomerData($customer);
$customerData = Mage::helper('zendesk/sync')->syncCustomer($customer);
$zendeskId = $customerData['id'];
$customer->setZendeskId($zendeskId);
$customer->save();
Expand All @@ -25,8 +25,6 @@ public function syncronize(){
return;
}
Mage::log('Synchronization completed successfully', null, 'zendesk.log');


}
}
}
102 changes: 5 additions & 97 deletions src/app/code/community/Zendesk/Zendesk/Model/Observer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,110 +104,18 @@ public function addTicketButton(Varien_Event_Observer $event)
));
}
}

public function changeIdentity(Varien_Event_Observer $event)
{
if(!Mage::getStoreConfig('zendesk/general/customer_sync'))
return;

$user = null;
$customer = $event->getCustomer();
$email = $customer->getEmail();
$orig_email = $customer->getOrigData();
$orig_email = $orig_email['email'];

//Get Customer Group
$group_id = $customer->getGroupId();
$group = Mage::getModel('customer/group')->load($group_id);

//Get Customer Last Login Date
$log_customer = Mage::getModel('log/customer')->loadByCustomer($customer);
if ($log_customer->getLoginAt())
$logged_in = date("Y-m-d\TH:i:s\Z",strtotime($log_customer->getLoginAt()));
else
$logged_in = "";

//Get Customer Sales Statistics
$order_totals = Mage::getResourceModel('sales/order_collection');
$lifetime_sale = 0;
$average_sale = 0;

if (is_object($order_totals)) {
$order_totals
->addFieldToFilter('customer_id', $customer->getId())
->addFieldToFilter('status', Mage_Sales_Model_Order::STATE_COMPLETE);

$order_totals->getSelect()
->reset(Zend_Db_Select::COLUMNS)
->columns(new Zend_Db_Expr("SUM(grand_total) as total"))
->columns(new Zend_Db_Expr("AVG(grand_total) as avg_total"))
->group('customer_id');

if (count($order_totals) > 0) {
$sum = (float) $order_totals->getFirstItem()->getTotal();
$avg = (float) $order_totals->getFirstItem()->getAvgTotal();

$lifetime_sale = Mage::helper('core')->currency($sum, true, false);
$average_sale = Mage::helper('core')->currency($avg, true, false);
}
}

$info['user'] = array(
"name" => $customer->getFirstname() . " " . $customer->getLastname(),
"email" => $email,
"user_fields" => array(
"group" => $group->getCode(),
"name" => $customer->getFirstname() . " " . $customer->getLastname(),
"id" => $customer->getId(),
"logged_in" => $logged_in,
"average_sale" => $average_sale,
"lifetime_sale" => $lifetime_sale
)
);

if($orig_email && $orig_email !== $email) {
$user = Mage::getModel('zendesk/api_users')->find($orig_email);

if(isset($user['id'])) {
$data['identity'] = array(
'type' => 'email',
'value' => $email,
'verified' => true
);
$identity = Mage::getModel('zendesk/api_users')->addIdentity($user['id'],$data);
if(isset($identity['id'])) {
Mage::getModel('zendesk/api_users')->setPrimaryIdentity($user['id'], $identity['id']);
}
}
}

if(!$user) {
$user = Mage::getModel('zendesk/api_users')->find($email);
}

if(isset($user['id'])) {
$this->syncData($user['id'], $info);
} else {
$info['user']['verified'] = true;
$this->createAccount($info);
}
}

public function syncData($user_id, $data)
{
Mage::getModel('zendesk/api_users')->update($user_id, $data);
Mage::helper('zendesk/sync')->syncCustomer($customer);
}

public function createAccount($data)
{
Mage::getModel('zendesk/api_users')->create($data);
}


public function checkSsoRedirect($user)
{
if (
Mage::helper('zendesk')->isSSOAdminUsersEnabled() &&
Mage::app()->getRequest()->getControllerName() === 'zendesk' &&
Mage::helper('zendesk')->isSSOAdminUsersEnabled() &&
Mage::app()->getRequest()->getControllerName() === 'zendesk' &&
Mage::app()->getRequest()->getActionName() === 'authenticate'
) {
Mage::app()->getResponse()
Expand Down

0 comments on commit 746ccfa

Please sign in to comment.