Vulnerability in EPiServer.Forms
We have a requirement that users can apply multiple gift cards in the checkout page. We also need to display the list of applied gift cards (including gift card number).
When the user adds a new gift card, we create a new GiftCardPayment and we add it on the current user's shopping cart.
We are using Serialized Cart feature, but I haven't found a way to read the Gift Card Number when we load the applied payments (we need this in case the user refreshes the page or comes back to the payment step).
Maybe is something I'm missing.
Have you tried
Yep, it is not populated. After looking at the serialized object in the database, the GiftCardNumber is saved as a property of the payment, but it is not deserialized. And I think this happens because "GiftCardNumber" is not a property of the SerializedPayment object.
As you can see, the properties property is empty.
I assume you're working with IPayment objects when trying to retrieve the data. Have you tried casting to GiftCardPayment? It seems like that's what the cart is ultimately serializing them as.
I tried, but at runtime, the IPayment is actually SerializablePayment which cannot be cast to GiftCardPayment. We ultimately reverted back to regular carts, but as soon as we find a way to deserialize extra payment information we will return to serialized carts. The performance implications are big.
The Serializabled Cart feature works only with defined serializable objects such as: SerializableForm, SerializableShipment, SerializableLineItem, SerializablePayment, SerializableNote, SerializableOrderAddress (when deserializing cart components, it casts objetcs to corresponding serializable classes). In your case, the workaround could be: adding SerializablePayment to the cart instead of GiftCardPayment, and put all properties of GiftCardPayment you need into the Properties property of SerializablePayment:
payment.Properties["GiftCardNumber"] = 123;
payment.Properties["GiftCardSecurityCode"] = "abc";
Hi Bien, thank you for your answer, it makes sense. I will play with it and see how the entire workflow (all the way to the place order) will work.