Vulnerability in EPiServer.Forms
We've recently upgraded to commerce 12.2 and are having an issue with ValidateLineItemActivity. We've decompiled and put in our own implementation of this activity because we had to make one minor tweak to not look at the OrderGroup.ProviderId. However, when the UpdateLineItemPrice method runs and a price change has occurred the LineItem PlacedPrice is changed on the shipment in memory but is immediately whiped after the activity runs. To fix this we had to do the following but i'm wondering why he have to do the following
So when the price changes this is the original line of code from Epi's activity
lineItem1.PlacedPrice = itemPrice.Value.Amount;
We had to add the following line of code for the change to take place on the LineItem table in commerce
OrderGroup.OrderForms.LineItems.FirstOrDefault(l => l.LineItemId == lineItem1.LineItemId)?.PlacedPrice = itemPrice.Value.Amount;
We've done the same fix here. I assume that it is because the Workflows make use of the concrete classes (LineItem) while the rest of your code base maybe uses the abstractions (ILineItem). Normally these are only "synched up" once you save to the database, but there could be something else that changed the ILineItem too (for example when UpdateTotalsActivity runs).
This is one of the reasons why it's not recommended to "mix" the concrete and the abstraction APIs. But in some cases it could be hard to avoid, like in yours. The fix you applied is one that works though, in my experience.
As a side note, there's no need to decompile the workflows project, it's publicly available for download here:
https://world.episerver.com/download(It's under Episerver Commerce -> Other Code Samples)
For 12.2 you'd need 11.8.1 and higher
Once downloaded you can change your project references to make use of the downloaded one instead, which you can modify to your hearts content. :)