We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
确实有此bug 按照正常逻辑 购物车商品的价格 应该是数据库里面的价格 但是此项目是根据前端接口传过来的价格
以下是没有任何优惠的商品的订单逻辑
ref: #434
public class OmsCartItemServiceImpl implements OmsCartItemService { public int add(OmsCartItem cartItem) { OmsCartItem existCartItem = getCartItem(cartItem); if (existCartItem == null) { cartItem.setCreateDate(new Date()); // 此处没有直接把前端的价格存入数据库, 此处应该是有问题的 // 正常来说应该存入后台的价格, 如果前端伪造了价格, 在后续的逻辑中, 并没有做检查的处理 count = cartItemMapper.insert(cartItem); } else { cartItem.setModifyDate(new Date()); existCartItem.setQuantity(existCartItem.getQuantity() + cartItem.getQuantity()); count = cartItemMapper.updateByPrimaryKey(existCartItem); } return count; } }
public ConfirmOrderResult generateConfirmOrder(List<Long> cartIds) { // 此处调调用获取订单 并处理订单价格 List<CartPromotionItem> cartPromotionItemList = cartItemService.listPromotion(currentMember.getId(),cartIds); }
public class OmsCartItemServiceImpl implements OmsCartItemService { public List<CartPromotionItem> listPromotion(Long memberId, List<Long> cartIds) { List<CartPromotionItem> cartPromotionItemList = new ArrayList<>(); if(!CollectionUtils.isEmpty(cartItemList)){ // 此处计算价格, 直接根据存在数据库中的订单的价格 // 而前面说到了, 订单的价格没有和后端校验, 直接存的是前端传过来的价格 cartPromotionItemList = promotionService.calcCartPromotion(cartItemList); } return cartPromotionItemList; } }
public class OmsPromotionServiceImpl implements OmsPromotionService { for (Map.Entry<Long, List<OmsCartItem>> entry : productCartMap.entrySet()) { // 此函数没有任何和后端同步价格的操作, 也就是价格还是前端传的, 存在数据库的价格 handleNoReduce(cartPromotionItemList, itemList,promotionProduct); } }
public Map<String, Object> generateOrder(OrderParam orderParam) { // 此处之前说明过, 直接获取的是前端计算的价格 List<CartPromotionItem> cartPromotionItemList = cartItemService.listPromotion(currentMember.getId(), orderParam.getCartIds()); for (CartPromotionItem cartPromotionItem : cartPromotionItemList) { // 生成订单的价格即然是前端传来的价格 也就是前端可以随意篡改价格 // 如果前端的代码暴露了 风险很大 orderItem.setProductPrice(cartPromotionItem.getPrice()); } }
The text was updated successfully, but these errors were encountered:
CartPromotionItem和OmsCartItem并不是同一个概念,CartPromotionItem的price是通过查询PmsSkuStock表的price来的,所以说就算前端篡改了价格,依然是依照PmsSkuStock表的price来计算的,你可以参考下OmsPromotionServiceImpl中calcCartPromotion里的逻辑。
Sorry, something went wrong.
No branches or pull requests
确实有此bug
按照正常逻辑
购物车商品的价格 应该是数据库里面的价格
但是此项目是根据前端接口传过来的价格
以下是没有任何优惠的商品的订单逻辑
ref: #434
The text was updated successfully, but these errors were encountered: