Closed LiamKarlMitchell closed 3 years ago
Hi @LiamKarlMitchell. Thank you for your report. To help us process this issue please make sure that you provided the following information:
Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release
For more details, please, review the Magento Contributor Assistant documentation.
Please, add a comment to assign the issue: @magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel.
:warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
:clock10: You can find the schedule on the Magento Community Calendar page.
:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.
:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel
:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel
This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 14 days if no further activity occurs. Thank you for your contributions.
Summary (*)
We had an issue with bots registering customers and orders. I had deleted the customer records, subscriptions etc but had not realized there were also quote records.
The autoincrement on the customer id table must have also been reset. When we went live, new customer orders got created that happened to match existing quote records.
It seems that the customer name/email on the sales order copied the detail from the first matching spam/quote?
Proposed solution
Add a foreign key where it matters, so that on deleting customer records the quotes should either not allow it, or be set null or deleted, suggest that it simply not allow the delete operation due to the foreign key constraint.
Have Magento 2 come with a spam bot detection module by default, to detect the various kinds of data they enter.
From such a module implemented in core, do not allow HTML tags and various other characters to be entered in the fields for customer name, email etc.
When a new sales order/customer is created, don't grab the details from the first matching quote/sales_record but from the current one? Not 100% sure on the implementation here just what it seems to have done
I can dig deeper through a DB backup to find a list of recommendations of things that should not be allowed to be entered if needed. Although a honeypot server may be a better idea to collect a wider range of sample data to build some rules from.
[X] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround. [X] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.