Disallow changing payment amount on Solidus

[waiting-for-dev]

Steps to reproduce

• Complete an order using Stripe as the payment method. The payment will be authorized at that point.
• Edit the payment amount from the backend.
• Capture the payment amount from the backend.

Result Solidus will show a captured payment with the updated amount. However, Stripe will have captured the old amount.

Expected result It should not be possible to update the amount of the authorized amount from Solidus. Stripe doesn't allow updating the amount for payment intents with the requires_capture status, which is the one we have after the authorization has been made.

Considerations This is the error we get when trying:

pm = SolidusStripe::PaymentMethod.first
pi = pm.find_intent_for(Spree::Payment.last)
pi.amount = 100
pi.update

# This PaymentIntent's amount could not be updated because it has a status of requires_capture. You may only update the amount of a PaymentIntent with one of the following statuses: requires_payment_method, requires_confirmation, requires_action. (Stripe::InvalidRequestError)

[loicginoux]

Note that this is still available before having confirmed payment. updating the amount might be necessary in the case where

• a user go to checkout (intent created)
• cart amount has changed for any reason (go back to shopping and add new product to cart, or a product has a price change)
• go back to checkout page (the amount of the intent should be updated before procesding to payment)

If this is not related, I'll create another issue

[waiting-for-dev]

That is a fair point, @loicginoux. I meant manually changing the amount from the admin panel or the API. But yeah, we need to figure out the best way to handle that, and checking the payment status could be an option. Thanks for pointing that out!

[chrean]

@rainerdema to investigate if this is still valid.

[rainerdema]

I've opened a PR #288 that allows partial capture of a payment amount via the admin interface through the existing gateway action.

The example mentioned in the issue description refers to an update of the amount on a payment intent which is not allowed: But during the capture action, it's possible to specify a portion of the authorized payment amount to capture.

Let me know what you think 👍

cc @waiting-for-dev

[rainerdema]

I'm closing this with the mentioned PR for the moment. But happy to reconsider my approach and disallow the changing payment amount if needed 👍