Learner can sign up for a SPOC by using a discount code instead of an enrollment code

mitodl / mitxpro

BSD 3-Clause "New" or "Revised" License

12 stars 2 forks source link

Learner can sign up for a SPOC by using a discount code instead of an enrollment code #2558

Closed cachob closed 1 year ago

cachob commented 1 year ago

Steps to Reproduce

Open https://xpro.mit.edu/checkout/?product=465 Select Course Runs if needed Enter code XPRO23 in enrollment/promotional code Click Place Your Order

Expected Behavior

The code XPRO23 should be tagged as invalid and not allow the learner to go past the checkout screen and get enrolled. This is a SPOC were learners are provided with enrollment codes, and not open to the public.

Actual Behavior

Learner gets enrolled in the course. This allows any learner to enroll themselves in SPOCs without an enrollment code. It is believed that the learner may have manipulated the checkout URL to find this SPOC.

Stacktrace

(Optional)

Related Issues

(Optional)

Screenshot or Screencast

(Optional)

cachob commented 1 year ago

@pdpinch

rachellougee commented 1 year ago

@cachob @pdpinch How do we currently determine if the course is SPOC or not? The README says the Live checkbox should not be checked if it's SPOC, is that right ? (I see these courses are all live) Otherwise, the only way we know if it's SPOC is to see if it has a catalog page. Please let me know if I misunderstand something here

pdpinch commented 1 year ago

Good question.

I think the relevant setting here is the product version has requires_enrollent_code set to True. And a basic marketing coupon code shouldn't be treated like an enrollment code.

https://github.com/mitodl/mitxpro/blob/8d4324b4624ab445e4888135d07f80d98d1c9c7b/ecommerce/models.py#L211-L214 mitxpro/models.py at 8d4324b4624ab445e4888135d07f80d98d1c9c7b · mitodl/mitxpro github.com

Ferdi commented 1 year ago

if there is a setting that is not respected, than it's a bug.

When I read the issue, it did not look like a bug to me

price of the course = $x

Enrollment code: 100% discount and it's unique
Coupon code = <100% discount , not unique

if price = $0 then by definition coupon code funtion as enrollment code (100% discount). Why wouldn't user be enrolled ?

rachellougee commented 1 year ago

Thank you. Looks like there is a validation in place to prevent that,

   # check for require enrollment code
    if product_version.requires_enrollment_code and not coupon_version:
        raise ValidationError({"coupons": "Enrollment / Promotional Code is required"})

I will reproduce it on QA to see if this causes the issue

pdpinch commented 1 year ago

It should only allow an enrollment code, not a promotional code.

cachob commented 1 year ago

@rachellougee you can use this course to troubleshoot instead of the Boeing SPOC https://xpro.mit.edu/checkout/?product=program-v1:xPRO+MLx-SL

rachellougee commented 1 year ago

"XPRO23" is a global promo code, our validation lets global code apply to any product. Per discussion with Peter and Bon yesterday, I am adding a check to prevent the 'promo' code from being treated as an enrollment code if the product version requires_enrollment_code checked. The user will get a generic message "Enrollment / Promotional Code 'XPRO23' is invalid" if they try to apply the promo code, but the message can be changed if confusion