[Issue] Only deny customer access to order if it actually exists

[m2-assistant[bot]]

This issue is automatically created based on existing pull request: magento/magento2#38647: Only deny customer access to order if it actually exists

---

Description (*)

This allows loading nonexistent orders by customer. Before: loading an empty order as a customer would trigger this check resulting in "No such entity with orderId = ", as there is no orderId yet since it doesn't exist yet. Which means the order should be allowed.

After: Loading an empty order results in the empty order being returned, if it is a preexisting order the old checks apply

Contribution checklist (*)

• [x] Pull request has a meaningful description of its purpose
• [x] All commits are accompanied by meaningful commit messages
• [ ] All new or changed code is covered with unit/integration tests (if applicable)
• [ ] README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• [ ] All automated tests passed successfully (all builds are green)

[m2-assistant[bot]]

Hi @engcom-November. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• [ ] 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch
  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
• [ ] 5. Add label Issue: Confirmed once verification is complete.
• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-November]

Hello @indykoning,

Thank you for the report and collaboration!

Could you elaborate the issue and also let us know the impact of the issue, steps to reproduce and use case.

[indykoning]

In our specific usecase a project wanted randomised order increment ids. As a safeguard we check if this increment id already exists in the database using the following snippet

/** @var \Magento\Sales\Api\Data\OrderInterface $this->order */
$this->order->loadByIncrementId($incrementId)->getEntityId() === null

(Note us purposefully not catching NoSuchEntityException as the function is designed to always return an order. Either an existing one, or a new one)

Which calls $this->order->loadByAttribute('increment_id', $incrementId) and eventually calls the load function.

Since a completely empty Order model is returned (which it should), the Authorisation check referenced in the PR fails because it tries to check a customer id which does not exist.

• For guests this isn't an issue since they have no customer id and the security check is not triggered
• For customers this means their order cannot be placed because we didn't catch the exception

By checking wether the Order exists in the first place before doing the security check we prevent this exception.

[engcom-November]

Hello @indykoning,

Thank you for the detailed explanation.

Looks like you are returning a empty order, due to which isAllowed method is returning false because this empty order does not have a CustomerId. This can be considered as a feature request because this happens only when the order is empty. Hence markig it the same.

Thank you.