VCST-3912: Add extension points for hiding prices#472
Conversation
|
vc-ci
left a comment
There was a problem hiding this comment.
Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 7.617
Timestamp: 30-10-2025T08:29:08
| searchCriteria.Skip = skip; | ||
| searchCriteria.WithPrototypes = true; | ||
| var searchResult = await _customerOrderSearchService.SearchAsync(searchCriteria); | ||
| var searchResult = await _customerOrderDataProtectionService.SearchAsync(searchCriteria); |
There was a problem hiding this comment.
Export strips prices when no user context exists
High Severity
The export now uses CustomerOrderDataProtectionService.SearchAsync which strips all price data when GetCurrentUser() returns null (i.e., CanReadPrices returns false for null users). In background or non-HTTP contexts the user resolver may yield null, causing a complete loss of price information in exported data. The previous implementation used the raw search service without any price filtering.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 601d142. Configure here.
🧪 Katalon Test Report — ✅ PASSED
📋 Suite details
|
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 3 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7ffb473. Configure here.
| { | ||
| return Forbid(); | ||
| } | ||
| var result = await searchService.SearchAsync(searchCriteria); |
There was a problem hiding this comment.
Scoped GET leaks order existence
Medium Severity
GetByNumber, GetById, and GetByOuterId load the order before read authorization and no longer apply store filters on the query. A caller with scoped read access gets 403 Forbidden when an order exists outside their stores but 404 when it does not, revealing whether a number, id, or outer id is valid.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 7ffb473. Configure here.
| public virtual void RestoreDetails(PaymentIn payment) | ||
| public override void RestoreDetails(OrderOperation operation) | ||
| { | ||
| Price = payment.Price; |
There was a problem hiding this comment.
Capture refund prices still visible
Medium Severity
When prices are hidden, PaymentIn.ReduceDetails clears payment totals but not nested Capture or Refund operations. Blades now use currentEntity.withPrices, which stays default true on those children, so capture/refund amounts can display for users without order:read_prices.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 7ffb473. Configure here.
|









Description
References
QA-test:
Jira-link:
https://virtocommerce.atlassian.net/browse/VCST-3912
Artifact URL:
https://vc3prerelease.blob.core.windows.net/packages/VirtoCommerce.Orders_3.1009.0-pr-472-7ffb.zip
Note
Medium Risk
Changes how prices are exposed on read/save across APIs and export/import; incorrect overrides of
CanReadPricesor restore logic could leak or corrupt pricing data, though default behavior mirrors the priorReadPricescheck.Overview
Introduces
ICustomerOrderDataProtectionServiceas the central place to strip or restore order prices based on the current user (default: globalorder:read_prices), with overridableCanReadPricesfor custom rules. Order read/search/save/export paths and the API controller now go through this service instead of hiding prices insideOrderAuthorizationHandler.OrderOperation.WithPricesis set when prices are removed viaReduceDetails, and the admin UI useswithPrices(not client-side permission checks) to mask totals.ReduceDetails/RestoreDetailsare centralized onOrderOperationand expanded for nested operations;FillChildOperationsmoves to Core (Data helper obsoleted).OrderAuthorizationHandlermoves to the Data layer with an extensibleOrderAuthorizationContext(store / responsible scopes only). The OrdersModule2 sample registersSampleCustomerOrderDataProtectionServiceand store-type permissions as an extension example.Reviewed by Cursor Bugbot for commit 7ffb473. Bugbot is set up for automated code reviews on this repo. Configure here.