Developer forum

Forum » Development » Using the WebApi, in DW 9, to get carts by customer number

Using the WebApi, in DW 9, to get carts by customer number

E-mail notifications
Lasse Larsen
Reply
Posted on 22/02/2023 13:10:09

Hi DW,

We have a case where users, from the same company, should be able to see the currently open carts from the other users.

Would it be possible to get an endpoint where we can get carts by either customer number or something like a query?


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 22/02/2023 20:36:55
Reply
This post has been marked as an answer

Yes.

I have created a pull request in devops#12284 to add an additional endpoint that gets all carts by the current logged in users customer number.

Votes for this answer: 1
 
Lasse Larsen
Posted on 01/03/2023 10:41:15
Reply

Do you know when we could expect this to be released, and what release its going to be a part of?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 01/03/2023 15:43:33
Reply

It is currently stock in code review because of security issues we need to work around.

The problem is that when I am locked in as a user, I can patch my self with a customer number that is another users customer number, and then see their orders...

 
Anders Ebdrup
Anders Ebdrup
Posted on 14/03/2023 09:40:49
Reply

Dear Nicolai,

 

Can you please give an update on this one as we are awaiting it for a project?

 

Best regards, Anders

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 14/03/2023 15:18:32
Reply

We have not yet come up with a solution that is not a security breach.

So the best thing we can do currently is to add a setting that will enable this endpoint and it has to be activated in order to work.

It will come with a security breach as any logged in user can make a patch on them selves and update their customer number and see other customers orders.

Another option is to calculate a checksum of the userid + customer number and store it on the user - and only if they match a request, will it orders be returned. This will have the affect that new users and users that changes their customer number needs someone to 'Approve' from the backend that the customer number is OK.

If you have other great ideas, I am happy to hear it.

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 14/03/2023 15:19:17
Reply

Last option could be to have a setting that disallows changing customer numbers through webapi - this would be breaking though

 
Anders Ebdrup
Anders Ebdrup
Posted on 14/03/2023 17:39:37
Reply

Dear Nicolai,

 

I understand the issue...

From a business logic perspective is does not make sense that the users should be able to update their customer number from the frontend.

So, though it will be a breaking change, I would go for a solution where I will need to enable the behaviour in order to make i possible to change the customer number from the api, as this will be a very special case. Otherwise the user should have impersonation rights to be able to change a users customer number.

Thats my 5 cents.

 

Best regards, Andres

 
Lasse Larsen
Posted on 12/04/2023 09:56:06
Reply

Hi, Nicolai

Do you have an update on this issue?

 
Anders Ebdrup
Anders Ebdrup
Posted on 19/04/2023 10:32:24
Reply

Dear Dynamicweb,

 

I hope that we can get an update on this one, please?

 

Best regards, Anders

 
Anders Ebdrup
Anders Ebdrup
Posted on 25/04/2023 12:06:15
Reply

Dear Dynamicweb,

Is there a timeline for solving the issue here?

Best regards, Anders

 

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 26/04/2023 16:06:43
Reply

It was released in Dynamicweb.Ecommerce.WebAPI version 0.14.17

You have an additional option on the /carts endpoint - set it to true to retrieve orders by the user customer number.

If the current user does not have a customer number, a 404 is returned.

 

You must be logged in to post in the forum