Vulnerability in EPiServer.Forms
In the CSR UI it's showing all of the cart types but I only want to show the ones that are actual carts rather than the one used for storing favourites.
Is there a config/code option to filter these?
By " one used for storing favourites" did you mean wishlists? because right now it excludes that.
Except if you are using different name for wishlists ...
Yes we have a different name as we might end up with multiple "wishlists" they are used to store favourite items rather than wishlists.
We have the episerver:ExpiredCartsRemovalJobExcludedCartName set up to change the removal of these as documented, is there no way of configuring the CSR UI to hide ones with custom names?
No, CSR UI is using the default one, which, by the way, Wishlist.
Just to be clear, you have Wishlist, and another cart (with different name) for "favourite items"?
Okay no worries. Yes, it's something I raised previously about episerver:ExpiredCartsRemovalJobExcludedCartName on supporting one name as an issue.
As the documentation says the carts are just lists managed by the key name it makes sense to be that each key would map to their intention like any collection of dictionaries.
E.g if you have Favourite Courses, Favourite Products, Wishlists any other non cart item you'd separate them by the cart name for loading as that's what the commerce API supports. Else you'd have to jam them all in one wishlist and then load them all out and filter them which seems couter intuative.
Unless I'm missing something in the Cart system for this?
I'm not worried to start with :). But I understand the need for having ability to define "excluded" cart names. I will look into that if time permits
Thanks Quan :-)
Just a FYI: I made a POC that is kind of working. It's tricky to define the cart names to ignore, however. I'm currently going with a setting named episerver:Commerce.WishListCartNames but that might change. Introducing a service like ICartFilter is also an option but where to put it (within CSR UI, which is technically not a public API, or in a more "core" project) is also complicated. That said, when we do something there is a lot to consider :)
Thanks Quan, will this apply to code that was using episerver:ExpiredCartsRemovalJobExcludedCartName as well? Obviously we don't want wishlists removed and currently that propty only supports a single name.
I guess that's one of the things to consider with all of this.
Thanks for investigating :-)
Yes I also made changes to that so you can define multiple names with semicolon separator. The idea is to check for the new "setting", if there is none then fall back to the old setting for removing expired carts. But that needs some considerations... (out of my head, "should we imply that "wishlist" should not be removed or managed?")
I think leaving wishlist as the default makes sense as for simple processes it's going to be often used plus when upgrading users won't need to implement any new settings but I like having the comma separated setting makes it easy to set these up. Having it with the CSR UI and expired carts I think should catch everything a multi (non basket) cart would need to handle.
Nice work :-)
Do you think there needs to be a checkbox in the CSR UI to "Show hidden carts"? You might still want to delete these or view them in some scenarios?
Well that's one thing to consider (which will involve UX decsions at least). I'll probably leave that for now.