Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,16 @@ class OrdersController
'phone',
];

/**
* Internal order fields never exposed in Manager API responses.
*
* `token` is the secret used to authorize web order actions (see Web OrderController
* `ms3_token`); the Vue manager never consumes it, so it must not leak in any order payload.
*/
protected const HIDDEN_ORDER_FIELDS = [
'token',
];

protected modX $modx;
protected ?OrderLogService $orderLog = null;
protected ?Utils $ms3Utils = null;
Expand Down Expand Up @@ -970,9 +980,13 @@ public function update(array $params = []): array

// Reload order to get updated data
$order = $this->modx->getObject(msOrder::class, $id);
if (!$order instanceof msOrder) {
return Response::error('Order not found after update', HttpStatus::INTERNAL_SERVER_ERROR)->getData();
}
}

return Response::success($order->toArray(), 'Order updated successfully')->getData();
// Return the same shape as GET (address-merge, formatted cost, no secret fields)
return Response::success($this->buildOrderPayloadFromModel($order), 'Order updated successfully')->getData();
}

/**
Expand Down Expand Up @@ -1778,6 +1792,10 @@ protected function formatOrder(array $data): array
}
}

foreach (self::HIDDEN_ORDER_FIELDS as $field) {
unset($data[$field]);
}

return $data;
}

Expand Down
36 changes: 36 additions & 0 deletions core/components/minishop3/tests/OrderPayloadSecretFieldsTest.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
<?php

/**
* Guards the Manager order payload secret denylist (issue #421).
*
* `formatOrder()` strips every key in HIDDEN_ORDER_FIELDS from all order responses
* (get / list / create / finalize / recalculate-cost / update). This static check
* fails if the web-order secret `token` is dropped from that denylist.
*
* Run: php tests/OrderPayloadSecretFieldsTest.php
*/

declare(strict_types=1);

require __DIR__ . '/../vendor/autoload.php';

use MiniShop3\Controllers\Api\Manager\OrdersController;

$fail = static function (string $message): never {
fwrite(STDERR, "FAIL: {$message}\n");
exit(1);
};

$reflection = new ReflectionClass(OrdersController::class);
$hiddenFields = $reflection->getConstant('HIDDEN_ORDER_FIELDS');

if (!is_array($hiddenFields)) {
$fail('HIDDEN_ORDER_FIELDS must be an array');
}

if (!in_array('token', $hiddenFields, true)) {
$fail('HIDDEN_ORDER_FIELDS must contain "token" (web-order secret must never leak)');
}

fwrite(STDOUT, "OK OrderPayloadSecretFieldsTest\n");
exit(0);