Home Explore Help
Sign In
cturan
/
vendure
mirror of https://github.com/vendure-ecommerce/vendure
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix(core): Remove insecure fallback from default price selection strat

Relates to #GHSA-wm63-7627-ch33
Michael Bromley 2 years ago
parent
3538beef65
commit
6f34d067f0
3 changed files with 10 additions and 4 deletions
Split View Show Diff Stats
  1. 1 1
      packages/core/src/config/catalog/default-product-variant-price-selection-strategy.ts
  2. 5 0
      packages/core/src/plugin/default-search-plugin/indexer/mutable-request-context.ts
  3. 4 3
      packages/core/src/service/services/product-variant.service.ts

+ 1 - 1
packages/core/src/config/catalog/default-product-variant-price-selection-strategy.ts
View File 

@@ -18,6 +18,6 @@ export class DefaultProductVariantPriceSelectionStrategy implements ProductVaria
 
     selectPrice(ctx: RequestContext, prices: ProductVariantPrice[]) {
 
         const pricesInChannel = prices.filter(p => idsAreEqual(p.channelId, ctx.channelId));
 
         const priceInCurrency = pricesInChannel.find(p => p.currencyCode === ctx.currencyCode);
 
-        return priceInCurrency || pricesInChannel[0];
 
+        return priceInCurrency;
 
     }
 
 }

+ 5 - 0
packages/core/src/plugin/default-search-plugin/indexer/mutable-request-context.ts
View File 

@@ -1,3 +1,4 @@
 
+import { CurrencyCode } from '@vendure/common/lib/generated-types';
 
 import { ID } from '@vendure/common/lib/shared-types';
 
 
 import { RequestContext, SerializedRequestContext } from '../../../api/common/request-context';
 
@@ -28,6 +29,10 @@ export class MutableRequestContext extends RequestContext {
 
         return this.mutatedChannel?.id ?? super.channelId;
 
     }
 
 
+    get currencyCode(): CurrencyCode {
 
+        return this.mutatedChannel?.defaultCurrencyCode ?? super.currencyCode;
 
+    }
 
+
 
     static deserialize(ctxObject: SerializedRequestContext): MutableRequestContext {
 
         return new MutableRequestContext({
 
             req: ctxObject._req,

+ 4 - 3
packages/core/src/service/services/product-variant.service.ts
View File 

@@ -443,9 +443,9 @@ export class ProductVariantService {
 
             );
 
         }
 
 
-        const defaultChannelId = (await this.channelService.getDefaultChannel(ctx)).id;
 
+        const defaultChannel = await this.channelService.getDefaultChannel(ctx);
 
         await this.createOrUpdateProductVariantPrice(ctx, createdVariant.id, input.price, ctx.channelId);
 
-        if (!idsAreEqual(ctx.channelId, defaultChannelId)) {
 
+        if (!idsAreEqual(ctx.channelId, defaultChannel.id)) {
 
             // When creating a ProductVariant _not_ in the default Channel, we still need to
 
             // create a ProductVariantPrice for it in the default Channel, otherwise errors will
 
             // result when trying to query it there.
 
@@ -453,7 +453,8 @@ export class ProductVariantService {
 
                 ctx,
 
                 createdVariant.id,
 
                 input.price,
 
-                defaultChannelId,
 
+                defaultChannel.id,
 
+                defaultChannel.defaultCurrencyCode,
 
             );
 
         }
 
         return createdVariant.id;