New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vouchers can be reused under concurrent access #4812

Closed
TWarszawski opened this Issue Aug 26, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@TWarszawski
Copy link

TWarszawski commented Aug 26, 2016

Description

When two customers check out concurrently using the same voucher, the voucher can be used twice.

Steps to reproduce

  1. Start site, create two customers, create/pick test product, create test voucher.
  2. Both customers add the item to their carts, apply the voucher, and perform the checkout concurrently, making sure both customers finish checkout (click the ‘Confirm Order’ button) as close to the same time as possible.

We have reproduced this behavior on a single machine, by performing the above steps with one customer in one browser window and another customer in a second browser window with a short communication delay (200 ms) between the database and application. If connecting to the database using unix sockets, the following script can act as a proxy that delays packets:
https://gist.github.com/TWarszawski/a0d8dd8aea9eb5b774d64c9f826de6db

Expected Result:

Only one order completes using the voucher, the other order ends in the fraud status.

Actual Result:

Both orders successfully complete using the voucher.

@danielkerr danielkerr closed this Aug 28, 2016

@danielkerr

This comment has been minimized.

Copy link
Contributor

danielkerr commented Aug 28, 2016

and blocked!

@opencart opencart locked and limited conversation to collaborators Aug 28, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.