Home » Forums » Ubercart » Bug Reports

authenticated user able to place an anonymous order

Submitted by akamarvin on Mon, 01/14/2008 - 09:25
akamarvin
Posts: 6
 Joined: 11/19/2007

Ubercart alpha8, drupal 5.5, mysql 5.0.x

Problem :

Concerning a site with the wanted behaviour of no possible anonymous order.

An authenticated user is under certain circumstances able to validate a cart and a payment ... but the order in the database is saved with the uid = 0 !

Terrible consequences :
the customer/user was able to pay but our admin section could not say who passed this order ! And thus the user never see his order on his order history page.

I observed this 2 or 3 times, I believe the scenario for it to happen is when a user hesitate and comes back on the checkout pages many times with the same cart/order before submitting it to pay it.

Because I really do not need anonymous purchase in my case, I changed the uc_cart_checkout_form_submit() in uc_cart.module to force the $order->uid to be set in the beginning else statement.

function uc_cart_checkout_form_submit($form_id, $form_values) {
  global $user;

  if (empty($_SESSION['cart_order'])) {
    $order = uc_order_new($user->uid);
    $_SESSION['cart_order'] = $order->order_id;
  }
  else {
    $order = new stdClass();
    $order->order_id = $_SESSION['cart_order'];
    // AKAMARVIN MODIF : force the session uid in $order->uid (2008/01/11)
    $order->uid = $user->uid;
    // END AKAMARVIN MODIF
    $order->order_status = uc_order_state_default('in_checkout');
  }

  (...)
  uc_order_save($order);
  (...)
}

so the uc_order_save() function is sure to have a complete $order object at this time of the checkout.

And i also changed the uc_order_new() in uc_order.module to disallow the insert of uid = 0.

Feel free to comment my hack and this strange behaviour that should not happen.

Thanks.
permalink #1 Mon, 01/14/2008 - 11:38
Ryan

Posts: 5621
 Joined: 08/07/2007
AdministratorHead Code Monkey - I eat bugs.

Interesting... I've reviewed this, and I really just don't know how an order would come in w/o a uid attached. The first time this form is submitted, it should create an order for the customer's uid and save it. On subsequent submissions, that order should get loaded along w/ it's uid. I have included your change, and hopefully this solves something. Sticking out tongue I'm still curious to know more about whether or not this is the root issue.

permalink #2 Tue, 01/15/2008 - 07:21
zmove
Posts: 554
 Joined: 08/13/2007
Bug FinderEarly adopter... addicted to alphas.Getting busy with the Ubercode.Internationalizationizer

Hi, Just to know, what payment system you use when you notice the bug ?

permalink #3 Wed, 01/16/2008 - 06:31
akamarvin
Posts: 6
 Joined: 11/19/2007

A modified, and hopefully working ( because the original was quite crappy) version of uc_ogone (belgium).

do you think the payment module could mess up the order->uid with another uc_order_save ?

because I believe the only way to update or mess up the uc_order record in db is with uc_order_save() or uc_order_new() . Am I right ?

I'll investigate my ogone module.

EDIT :
investigation done :

- the hook_order of the ogone module does virtually nothing in the $op = 'save' case.
and that's maybe the problem ?

- the uc_payment_method_ogone hook in its 'order-save' case does nothing to the uc_order table.

-the entire ogone module does not take access to the global $user object at any time, only relying on $order object passed in for user info.

hope it helps.

permalink #4 Wed, 01/16/2008 - 07:52
akamarvin
Posts: 6
 Joined: 11/19/2007

the problem may also come from uc_cart_complete_sale() that can optionally make an update on uc_order in the beginning of its code.

permalink #5 Wed, 01/16/2008 - 10:50
Ryan

Posts: 5621
 Joined: 08/07/2007
AdministratorHead Code Monkey - I eat bugs.

Hmm... That code should actually remedy any issue where an order comes in with a 0 uid. It finds an existing user or creates a new one to attach to the order.