[BUG] Privacy / Security - Possible to access cart of other user and cart will not be restored on another device

[AndreasA]

Currently as long as one has the token it is possible to access the shopping cart. However, if it is assigned to a shop user this shouldn't be possible, e.g. I logged out of a public PC.

Accessing and modifying a cart that isn't mine just shouldn't be possible and as it is possible that a shipping address / billing address is assigned to it, it is even worse as this can be an issue regarding data protection / privacy laws.

Furthermore, when a user is logged in it should be possible to resume the previous cart without knowing its token, e.g. because the user switches devices.

Best would be a merge but as a first step it would be nice, if it is the same as it is in a default Sylius installation

[lchrusciel]

Can you provide list of situations and expected behaviours?

[AndreasA]

I can't think of all the needed scenarios but one thing I would expect:

• User A is logged int
• User A has a cart with various items in it
• User A logs out
• The cart should not be returned anymore as no user is logged in
• They should not be able to modify their previous cart at all using just the cart's token, they would require a new authorization to modify it.
• User B logs in
• The cart should still not be returned as it is another user
• User B logs out again
• User A logs in again
• User A sees their previous cart
• User A logs out again
• Not being logged in user A adds items to their cart
• User A logs in again
• Now the optimum result would be that User A should get a combined cart of the newly created one and the one they had prior to their login, so e.g. if they had product A in the logged in cart and product B in the logged out cart both should be in the cart.
  • Some possible issues there:
    • An issue might be if a product is not available in the corresponding channel
    • Quantities: If both carts have the same product you either have to use the maximum quantity or their sum or the quantity of the last updated cart. In any case the user would have to review the cart again (best would be if after login they see their cart and maybe with a small information message).
      • If the two carts are from different channels / different currencies the totals etc. need to be completely recalculated.
      • Addresses: If both cart's have addresses on them, of course only one can win.
        • However, as the user cannot proceeed without login anyway (same e-mail address), most likely the one from the cart after logging in is correct.