Vulnerability in EPiServer.Forms
I have an item discount with Customer Redemption limit set. When viewing the product on the site as an anonymous user, the discounted price is not displayed.
How do I ensure the discounted price is displayed for both anonymous and authenticated users ?
You can't specify per-customer redemption for anonymous users, because there is no way to prevent sneaky users to log out and order more, or even, using incognito mode for that.
If you really want to change that behavior, you can implement IRedemptionLimitService and return the expected value for
GetRemainingRedemptions(IEnumerable<PromotionData> promotions, Guid customerId, int orderFormId)
To emphasize on this "no way to prevent sneaky users to log out and order more, or even, using incognito mode for that. "
It's also for the benefit of the company selling things. If the user splits their order into several orders it is very likely going to cost the company more sending it, as it will be sent with several parcels. So this logic is there as a safe guard to not incentivice behavior that is costly for the company :)
Thanks Quan and Joel, that makes sense but in my case anonymous users have to log in to checkout so they can't circumvent the system. I want to ensure the discounted price is displayed regardless.
I'll have a look at the IRedemptionLimitService
Can you provide sample code to use IRedemptionLimitService to apply redemption limit per customer for anonymous user?. I don't find any.
You shouldn't have to deal with any other class than the IPromotionEngine, if you want to see the price in the checkout, and the customer is logged in. If I were you, I'd "solve" this by adding some UX feature creating an incitement to log in before the checkout. Maybe "Log in to find out if there are any logged in discounts" or something like that?
I don't think there is any as far as I know.
That is actually not true Joel. You can, and should implement any public interface if you want to change the default behavior. That is the way it is meant to be.
Of course the apis might not be perfectly designed and there might be public apis that shouldn't be, or vice versa, but the idea remains :)
Well I only have to do IPromotionEngine.Run to apply my promotions, just like I stated, I don't know about you ;) My point being that customer redemption limit should work out of the box as long as the customer is logged in.
You could Implement your own IRedemptionLimitService and implement GetRemainingRedemptions in such a way that you solve non-logged in customers, but then you'd have to manage the other cases yourself as well, you'd opt out of the existing redemption calculation logic :)