Vulnerability in EPiServer.Forms
Does anyone know if the CommerceTrackingAttribute can be used on Web Api controller actions ? And by default sends the User tracking data i.e Name and email of logged in user ?
Also whether using the TrackingDataFactory Create methods automatically constructs the User tracking data from the logged in user ?
Unless I missed something obvious, then no, CommerceTrackingAttribute is based on ActionFilterAttribute which is an for-MVC attribute. IIRC you just can't use it in a WebApi controller.
You might be able to use the approach titled " Tracking without using the CommerceTrackingAttribute" as described here: https://world.episerver.com/documentation/developer-guides/tracking/product-tracking/
Thanks, I thought so too, wanted to confirm.
Had been through the Tracking without attribute approach, but from the documentation it's not obvious if the User tracking data is automatically constructed by the TrackingDataFactory or do I have to add it ?
From memory it used the ASP.net Profile values as used in Commerce. So unless you are using that in your WebAPI controller it’s likely you need to populate yourself.
Again from memory you can populate the UserData object with your custom tracking. You only need to populate the email to match with an existing profile with matching email.
If you cannot populate UserData as part of your implementation then you can use a tracking data interceptor to populate it: https://world.episerver.com/documentation/developer-guides/tracking/tracking-api/tracking-data-interceptor/ (this is what’s used by the default implementations)
Update on this
I can confirm that the User tracking data is automatically constructed by the TrackingDataFactory CreateTrackingData methods. It does seem to be using the ASP.NET profile values. In my case my WebAPI controller is hosted within the Commerce site so it works out