search

vtdung2305 / bakesale

Automatically exported from code.google.com/p/bakesale
0 stars 0 forks source link

False (empty) orders can be emailed to shop owner #26

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Append "/orders/success" to any BakeSale shop.

Accessing /orders/success on any BakeSale shop will create a new order and
fire two emails, one of them to SHOP_EMAIL.

This is a not-desired situation, as any bot/spider indexing that URI, an
unexpected reload of the page or just a malicious user can cause false
email orders to be emailed and false registries to be inserted into de database

Original issue reported on code.google.com by jaime.it...@gmail.com on 19 Mar 2008 at 1:10

GoogleCodeExporter commented 9 years ago 
this seems to be fixed in the current bakesale 1.2.2 bugfix2?
the method below only converts the order once in my case:
function success() {
        $data = $this->cart_contents();
        if(!empty($data)) {
            $data['Order'] = array_merge($data['Order'], $this->Session->read('Order'));
            $data['Order']['session'] = '';
            $data['Order'] = $this->convert($data['Order']);
            $this->Order->save($data);
            $this->LineItem->convert($data['LineItem']);
            $this->__emailOrder($data['Order']['id']);
            $this->set(compact($data));
        }
    }

Original comment by m.willer...@gmail.com on 16 Oct 2008 at 1:46

GoogleCodeExporter commented 9 years ago

Original comment by putkonen...@gmail.com on 13 Apr 2009 at 8:58