Skip to content

VCST-3912: Add extension points for hiding prices#472

Open
artem-dudarev wants to merge 9 commits into
devfrom
VCST-3912-hide-prices
Open

VCST-3912: Add extension points for hiding prices#472
artem-dudarev wants to merge 9 commits into
devfrom
VCST-3912-hide-prices

Conversation

@artem-dudarev

@artem-dudarev artem-dudarev commented Oct 29, 2025

Copy link
Copy Markdown
Collaborator

Description

image

References

QA-test:

Jira-link:

https://virtocommerce.atlassian.net/browse/VCST-3912

Artifact URL:

https://vc3prerelease.blob.core.windows.net/packages/VirtoCommerce.Orders_3.1009.0-pr-472-7ffb.zip


Note

Medium Risk
Changes how prices are exposed on read/save across APIs and export/import; incorrect overrides of CanReadPrices or restore logic could leak or corrupt pricing data, though default behavior mirrors the prior ReadPrices check.

Overview
Introduces ICustomerOrderDataProtectionService as the central place to strip or restore order prices based on the current user (default: global order:read_prices), with overridable CanReadPrices for custom rules. Order read/search/save/export paths and the API controller now go through this service instead of hiding prices inside OrderAuthorizationHandler.

OrderOperation.WithPrices is set when prices are removed via ReduceDetails, and the admin UI uses withPrices (not client-side permission checks) to mask totals. ReduceDetails / RestoreDetails are centralized on OrderOperation and expanded for nested operations; FillChildOperations moves to Core (Data helper obsoleted).

OrderAuthorizationHandler moves to the Data layer with an extensible OrderAuthorizationContext (store / responsible scopes only). The OrdersModule2 sample registers SampleCustomerOrderDataProtectionService and store-type permissions as an extension example.

Reviewed by Cursor Bugbot for commit 7ffb473. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]

This comment was marked as outdated.

@sonarqubecloud

Copy link
Copy Markdown

@vc-ci vc-ci left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 7.617
Timestamp: 30-10-2025T08:29:08

Comment thread src/VirtoCommerce.OrdersModule.Web/Scripts/blades/customerOrder-list.tpl.html Outdated
Comment thread src/VirtoCommerce.OrdersModule.Web/Module.cs Outdated
searchCriteria.Skip = skip;
searchCriteria.WithPrototypes = true;
var searchResult = await _customerOrderSearchService.SearchAsync(searchCriteria);
var searchResult = await _customerOrderDataProtectionService.SearchAsync(searchCriteria);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Export strips prices when no user context exists

High Severity

The export now uses CustomerOrderDataProtectionService.SearchAsync which strips all price data when GetCurrentUser() returns null (i.e., CanReadPrices returns false for null users). In background or non-HTTP contexts the user resolver may yield null, causing a complete loss of price information in exported data. The previous implementation used the raw search service without any price filtering.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 601d142. Configure here.

@vc-ci

vc-ci commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

🧪 Katalon Test Report — ✅ PASSED

🔢 Total ✅ Passed ❌ Failed
13 13 0
📋 Suite details
Suite Test Suites/Modules/module_Assets
Failures 0
Errors 0
Timestamp 09-04-2026T14:57:17

🔗 View run · Commit: 94b7dbb

@artem-dudarev artem-dudarev requested a review from OlegoO April 9, 2026 13:53
@sonarqubecloud

sonarqubecloud Bot commented Apr 9, 2026

Copy link
Copy Markdown

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

There are 3 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 7ffb473. Configure here.

{
return Forbid();
}
var result = await searchService.SearchAsync(searchCriteria);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scoped GET leaks order existence

Medium Severity

GetByNumber, GetById, and GetByOuterId load the order before read authorization and no longer apply store filters on the query. A caller with scoped read access gets 403 Forbidden when an order exists outside their stores but 404 when it does not, revealing whether a number, id, or outer id is valid.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7ffb473. Configure here.

public virtual void RestoreDetails(PaymentIn payment)
public override void RestoreDetails(OrderOperation operation)
{
Price = payment.Price;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Capture refund prices still visible

Medium Severity

When prices are hidden, PaymentIn.ReduceDetails clears payment totals but not nested Capture or Refund operations. Blades now use currentEntity.withPrices, which stays default true on those children, so capture/refund amounts can display for users without order:read_prices.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7ffb473. Configure here.

@sonarqubecloud

sonarqubecloud Bot commented Jun 4, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
2 New Critical Issues (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants