MDVA-39031: Adding unassigned products to cart possible via GraphQL

The MDVA-39031 patch solves the issue where adding a product to the cart via GraphQL is possible even if it is not assigned to the target website. This patch is available when the Quality Patches Tool (QPT) 1.1.6 is installed. The patch ID is MDVA-39031. Please note that the issue is scheduled to be fixed in Adobe Commerce 2.4.4.

Affected products and versions

The patch is created for Adobe Commerce version:

  • Adobe Commerce (all deployment methods) 2.4.2-p1

Compatible with Adobe Commerce versions:

  • Adobe Commerce (all deployment methods) 2.4.2 - 2.4.3-p1
NOTE
The patch might become applicable to other versions with new Quality Patches Tool releases. To check if the patch is compatible with your Adobe Commerce version, update the magento/quality-patches package to the latest version and check the compatibility on the Quality Patches Tool: Search for patches page. Use the patch ID as a search keyword to locate the patch.

Issue

Adding a product to the cart via GraphQL is possible even if it is not assigned to the target website.

Steps to reproduce:

  1. Create a secondary website.

  2. Create a product and assign it to the primary website.

  3. Create an empty cart for the secondary website using GraphQL.

    code language-graphql
    
     mutation{
      createEmptyCart
     }
    
    

    With headers like:

    code language-graphql
    
     {
       "Store":"en_au"
     }
    
    
  4. Add the product assigned to the primary website to the cart in secondary website.

    code language-graphql
    
     mutation {
       addProductsToCart(
           cartId: "XHrUN2nJ37OqDByhtL0VC8OxYsEZs41c"
           cartItems: [
             {
               quantity: 1
               sku: "p1"
             }
           ]
         ) {
           cart {
            items {
             product {
               name
               sku
             }
             quantity
           }
         }
       }
     }
    
    

    Headers

    code language-graphql
    
     {
       "Store":"en_au"
     }
    
    

Expected results:

The product is not added to the cart because it was not assigned to the store defined in the header.

Actual results:

The product gets added to the cart successfully.

Apply the patch

To apply individual patches, use the following links depending on your deployment method:

To learn more about Quality Patches Tool, refer to:

For info about other patches available in QPT, refer to Patches available in QPT in our developer documentation.

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a