Vulnerability in EPiServer.Forms
We have an order discount with limit per registered user. Our process flow is a bit different, we create a purchase order from the cart, run the workflow (unfortunately) against the purchase order, if no error then delete the cart, else add some error/warnings to the cart.
The issue is that PromotionInformationGetRedemptions returns more than the total redemption thus discount will be remove from the purchase order.
No issue if we delete the cart immediately, unfortunately we can't do this at the moment. We modified the PromotionInformationGetRedemptions a bit to fix this issue.
Anyone experience this? Is it good/bad idea to modify the stored procedure? Or is it a bug?
Without your current version it would be difficult to give a meaningful answer, but it's almost always a bad idea to modify a SP. We don't disclose database schema so your change might affect other parts of the system and we can't support that.
Later versions of Commerce only count redeemed promotions and it is only set with Orders, not carts, so that's something you might want to look into.