diff --git a/LittleShop/Services/OrderService.cs b/LittleShop/Services/OrderService.cs index b3c8e3a..308b22b 100644 --- a/LittleShop/Services/OrderService.cs +++ b/LittleShop/Services/OrderService.cs @@ -282,13 +282,46 @@ public class OrderService : IOrderService public async Task CancelOrderAsync(Guid id, string identityReference) { - var order = await _context.Orders.FindAsync(id); - if (order == null || order.IdentityReference != identityReference) + var order = await _context.Orders + .Include(o => o.Customer) + .FirstOrDefaultAsync(o => o.Id == id); + + if (order == null) + { + _logger.LogWarning("Cannot cancel order {OrderId} - order not found", id); return false; + } + + // Verify ownership - support both CustomerInfo-based and legacy IdentityReference-based orders + bool isOwner = false; + + if (order.Customer != null && identityReference.StartsWith("telegram:")) + { + // Extract telegram user ID from identity reference (format: "telegram:12345:username") + var parts = identityReference.Split(':'); + if (parts.Length >= 2 && long.TryParse(parts[1], out var telegramUserId)) + { + isOwner = order.Customer.TelegramUserId == telegramUserId; + } + } + else if (!string.IsNullOrEmpty(order.IdentityReference)) + { + // Legacy: match by identity reference + isOwner = order.IdentityReference == identityReference; + } + + if (!isOwner) + { + _logger.LogWarning("Cannot cancel order {OrderId} - identity mismatch (provided: {Identity}, customer: {CustomerId})", + id, identityReference, order.CustomerId); + return false; + } if (order.Status != OrderStatus.PendingPayment) { - return false; // Can only cancel pending orders + _logger.LogWarning("Cannot cancel order {OrderId} - status is {Status}, must be PendingPayment", + id, order.Status); + return false; } order.Status = OrderStatus.Cancelled;