View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0006854||OXID eShop (all versions)||1.02. Price calculations (discounts, coupons, additional costs etc.)||public||2018-07-13 14:03||2018-07-13 14:10|
|Target Version||Fixed in Version|
|Summary||0006854: Wrong voucher calculation - discount sharing between user's baskets|
|Description||In case of vouchers with the same number, it's possible to create a sharing-like behavior of the total discounts, which could lead to wrong basket calculation - even negative basket sums are possible!|
The problem is the storing of the total discount, calculated while using a voucher with a percentage discount. The calculated total sum is stored in oxvouchers table. For any reason, it's possible that an user can use the same voucher as another user. Then he gets the pre-calculated discount, which clearly refers to another basket.
|Steps To Reproduce||1) Create a voucherseries|
OXDISCOUNTTYPE = percent
OXALLOWSAMESERIES = 0
OXALLOWOTHERSERIES = 0
OXALLOWUSEANOTHER = 0
OXCALCULATEONCE = 0
2) Assign a category to the voucherseries.
3) Create one voucher from the series.
4) Open browser A and login to shop with user A.
5) Add an article from the assigned category to your basket.
6) Input the voucher code.
Discount should be calculated the right way.
7) Open browser B and login to shop with user B.
8) Add another article from the assigned category to your basket.
9) Login to you shop's database.
10) Update the value oxvouchers.OXRESERVED to a timestamp older than 3 hours (in standard).
Explanation: The reservation time of the used voucher has to be run out. With standard settings, a voucher is reserved for 3 hours. So you may wait that time, but it's easier to modify the oxvouchers.OXRESERVED value. Just change it to a value thats more than 3 hours back in past, so subtract a number > 10800.
11) Finish your order.
12) Go back to browser A.
13) Update your basket.
Now you should see the total discount from user B.
|Additional Information||The scenario a little bit more technical:|
1) User A inputs voucher number.
2) Voucher X gets reserved by inserting a timestamp to oxvouchers.OXRESERVED.
3) User A doesn't do anything and leaves his basket as it is for about 3 hours (in standard).
4) oxvouchers.OXRESERVED from voucher X is now more than 3 hours old, so voucher X isn't reserved anymore.
5) Now User B inputs the voucher number and since voucher X isn't reserved anymore, user B re-reserves voucher X for his basket.
6) User B finishes his order.
7) At this point the OXORDERID, OXUSERID and OXDISCOUNT were inserted into the oxvouchers table.
8) User A comes back and updates his basket.
9) Then the problem starts to begin: Even though voucher X isn't reserved anymore by user A, this voucher is used for calculation.
10) Unfortunately the calculation function read out OXDISCOUNT from the database and adds it to user A's basket.
Problem 1.1: Wrong total discount value is used for user A.
Problem 1.2: If basket sum from user A is less than discount from user B, which is stored in oxvouchers.OXDISCOUNT, basket sum could get under 0,00.
Problem 2: Same voucher X is used by two customers.
11) User A finishes his order.
12) OXORDERID and OXUSERID from voucher X is overwritten with the new values from user A.
(My guess is, that the oxvouchers.OXID from voucher X is stored in the session from user A.)
|Tags||Calculations, Discount, Voucher|
|PHP Version||Not defined|
|MySQL Version||Not defined|