Vulnerability in EPiServer.Forms
When doing some debugging in a previous thread, I tried to understand a bit more on how/where the values of the discounts actually are applied to the lineitems.
This is by some extent modified by the PromotionEngineSettings, since you can set ApplyReward to true or false. True will have the calculated discount prices applied to the lineitems, where as False will just give you which rewardDescriptions that would've applied.
However, since manual promotions are handled outside of the promotionengine context, setting PromotionEngineSettings.ApplyReward = false won't change if it's actually applied or not.
I don't know if this is a bug or not though. Manual promotions are basically PromotionInformation objects with Type=Manual that you add to the orderForm.Promotions collection prior to running cart.ApplyDiscounts(). So it's not really within the promotion engine, but it still feels a bit hidden that all the manual promotions will be applied, whereas the calculated promotions will not be applied.
Thoughts on this? :)