It appears to me that the autorize.net plugin included with Nop 3.70 if the plugin uses different settings for each store.
Let's say that you have two stores www.webstoreA.com and www.webstoreB.com, webstore A uses the 'all stores' settings for authorize.net and webstore B has overridden settings to use a different account.
The issue/or potential issue is that I think we have is that if I, as an admin, log into webstore A, and find an order that was placed on webstore B, then try to refund that order, I think it will use the settings for webstore A.
Additionally if I were to write a schedule task to automatically act on these transactions, for example to automatically capture all authorized payments, it will use the global settings rather than the settings for the store that the order was placed on.
To fix this I think we need to get the store id from each request inside the request call and load the settings that way rather than use the dependency injecting settings that I think rely on the web context.
I think the fix for it is something like this in each call.
AuthorizeNetPaymentSettings paymentSettings;
if (processPaymentRequest.StoreId > 0)
{
paymentSettings = _settingContext.LoadSetting<AuthorizeNetPaymentSettings>(processPaymentRequest.StoreId);
}
else
{
paymentSettings = _authorizeNetPaymentSettings;
}
All calls to _authorizeNetPaymentSettings will need be changed to paymentSettings and methods like the populate authentication method need to be overridden to accept the settings object as a parameter rather than use the class member.