VCST-3912: Add extension points for hiding prices#472
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
vc-ci
left a comment
vc-ci
left a comment
There was a problem hiding this comment.
Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 7.617
Timestamp: 30-10-2025T08:29:08
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 601d142. Configure here.
| searchCriteria.Skip = skip; | ||
| searchCriteria.WithPrototypes = true; | ||
| var searchResult = await _customerOrderSearchService.SearchAsync(searchCriteria); | ||
| var searchResult = await _customerOrderDataProtectionService.SearchAsync(searchCriteria); |
There was a problem hiding this comment.
Export strips prices when no user context exists
High Severity
The export now uses CustomerOrderDataProtectionService.SearchAsync which strips all price data when GetCurrentUser() returns null (i.e., CanReadPrices returns false for null users). In background or non-HTTP contexts the user resolver may yield null, causing a complete loss of price information in exported data. The previous implementation used the raw search service without any price filtering.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 601d142. Configure here.
🧪 Katalon Test Report — ✅ PASSED
📋 Suite details
|
|
2 participants
Description
References
QA-test:
Jira-link:
https://virtocommerce.atlassian.net/browse/VCST-3912
Artifact URL:
https://vc3prerelease.blob.core.windows.net/packages/VirtoCommerce.Orders_3.1005.0-pr-472-c360.zip
Note
Medium Risk
Introduces a new cross-cutting data-protection layer that conditionally strips/restores pricing fields based on user permissions, affecting multiple API, export/import, and UI paths; mistakes could leak or incorrectly zero-out price data.
Overview
Adds
ICustomerOrderDataProtectionServiceand a defaultCustomerOrderDataProtectionServicethat enforces price visibility by reducing order/payment/shipment/line-item price fields for users withoutReadPrices, and restoring original prices on save.Wires this service through Orders API search/get/save endpoints and export/import, replaces the previous web authorization handler implementation with a shared
OrdersModule.Data.Authorization.OrderAuthorizationHandler/OrderAuthorizationContext, and updates UI price rendering to rely on a newwithPricesflag returned per operation instead of checking permissions client-side.Adds a core
FillChildOperations()extension (deprecatingFillAllChildOperations), updates clone/reduce/restore logic across order models, and includes a sample module override demonstrating store-based price permissions plus a regression test for cloning/child operation linkage.Reviewed by Cursor Bugbot for commit c360f0b. Bugbot is set up for automated code reviews on this repo. Configure here.