diff --git a/core/components/minishop3/src/Controllers/Api/Manager/OrdersController.php b/core/components/minishop3/src/Controllers/Api/Manager/OrdersController.php index ce13d719..aa4a4b20 100644 --- a/core/components/minishop3/src/Controllers/Api/Manager/OrdersController.php +++ b/core/components/minishop3/src/Controllers/Api/Manager/OrdersController.php @@ -71,6 +71,16 @@ class OrdersController 'phone', ]; + /** + * Internal order fields never exposed in Manager API responses. + * + * `token` is the secret used to authorize web order actions (see Web OrderController + * `ms3_token`); the Vue manager never consumes it, so it must not leak in any order payload. + */ + protected const HIDDEN_ORDER_FIELDS = [ + 'token', + ]; + protected modX $modx; protected ?OrderLogService $orderLog = null; protected ?Utils $ms3Utils = null; @@ -970,9 +980,13 @@ public function update(array $params = []): array // Reload order to get updated data $order = $this->modx->getObject(msOrder::class, $id); + if (!$order instanceof msOrder) { + return Response::error('Order not found after update', HttpStatus::INTERNAL_SERVER_ERROR)->getData(); + } } - return Response::success($order->toArray(), 'Order updated successfully')->getData(); + // Return the same shape as GET (address-merge, formatted cost, no secret fields) + return Response::success($this->buildOrderPayloadFromModel($order), 'Order updated successfully')->getData(); } /** @@ -1778,6 +1792,10 @@ protected function formatOrder(array $data): array } } + foreach (self::HIDDEN_ORDER_FIELDS as $field) { + unset($data[$field]); + } + return $data; } diff --git a/core/components/minishop3/tests/OrderPayloadSecretFieldsTest.php b/core/components/minishop3/tests/OrderPayloadSecretFieldsTest.php new file mode 100644 index 00000000..eaf52a36 --- /dev/null +++ b/core/components/minishop3/tests/OrderPayloadSecretFieldsTest.php @@ -0,0 +1,36 @@ +getConstant('HIDDEN_ORDER_FIELDS'); + +if (!is_array($hiddenFields)) { + $fail('HIDDEN_ORDER_FIELDS must be an array'); +} + +if (!in_array('token', $hiddenFields, true)) { + $fail('HIDDEN_ORDER_FIELDS must contain "token" (web-order secret must never leak)'); +} + +fwrite(STDOUT, "OK OrderPayloadSecretFieldsTest\n"); +exit(0);