[P3B-3] Shopping list information #1

[s1155030186]

localStorage is filled with following data style: {bookid,quantity, bookname, bookprice}

By requirement, it should store {pid, number} request {prod_name, price} from AJAX

Users may change the localStorage so that users can buy products to be cheapest

It expected to change back to a normal product information by sending request to server

From the photo, we can see that when product is updated, the shopping list would not updated. The wrong decision may be made due to wrong. Or you send the whole things to server and server does not check the relation of the product, it will receive an unexpected total from the client. Moreover, it may cause worse user experience on using this website as the user may mislead by the wrong amount on the shopping list.

prossible fix: Request the price and name by ajax request by using (pid,quantity) and not trust the client local storage directly

[s1155002037]

The price and name of products are got at server side by ajax, you can check the source code for sure. The localStorage stored the price information but only pid and quantity are sent as parameters.

[s1155030186]

i know what u mean, but after the ajax pull down the price, the price can be change on the client side by using javascript. After refresh the page, the shopping cart is restored by using localStorage only.

here is the function u use for the shopping list restoration which didn't call any server side to check the amount again.

var shoppingCartItems = JSON.parse(localStorage.shoppingCart); $.each(shoppingCartItems, function(id, bookItem){ total += bookItem.quantity*bookItem.bookPrice; });

[s1155002037]

The server will recalculate the price again and will not receive any information about the price at the client side. The following codes can prove this. Following codes are from routes/checkout which handles the shopping cart. The code you paste is only for client side shopping cart display.

router.get('/',isLoggedIn, function(req, res){ var fullUrl = req.protocol + '://' + req.get('host') + req.baseUrl; console.log('req.fullUrl', fullUrl); var booksToBuy = []; var booksToBuy2 = []; models.Product.findAll().then(function(products){ var total = 0; products.forEach(function(product){ var quantity = 0; var price = 0; //console.log('pid = '+product.id); //console.log('query id = '+typeof(req.query.id[1])); //console.log('== '+req.query.id.indexOf('1')); if(req.query.id.indexOf(product.id.toString()) != -1){ console.log(product.productName); quantity = req.query.quantity[req.query.id.indexOf(product.id.toString())]; price = parseFloat(Math.round(product.productPrice_100)/100).toFixed(2); subtotal = parseFloat(product.productPrice)_parseFloat(quantity); total = total + subtotal; var bookToBuy = {'sku':req.query.id[req.query.id.indexOf(product.id.toString())], 'name':product.productName, 'price':price,'currency':'USD','quantity':quantity}; booksToBuy.push(bookToBuy); } }); total = parseFloat(Math.round(total*100)/100).toFixed(2);

[hkop2002]

[TA comment] Non-security issue. Not fixed. The price should also be correct on client side