I signed up for an event(event1) by selecting "other" in the payment methods.(Payment Method Pack)
The order status was pending so the event didn't show up in signups tab. fine.
Second time I signed up for another event(event2). this time I used credit card and order was completed but both the events(event1 & event2) show up in the signups tab. The order of event1 is still pending payment. so It shouldn't be shown.

We already have contact information for this attendee in our system.
Attending:
event1 - Tue, 01/11/2011 - 11:21
event2 - Tue, 01/11/2011 - 11:26

CommentFileSizeAuthor
#8 1005352.patch2.92 KBezra-g

Comments

technikh’s picture

Priority: Major » Critical
Issue tags: +bug, +Ubercart, +integration, +signup

changing the status to critical as this is a serious security hole.

I see that for pending orders $_SESSION['uc_signup'] is not unset after completing the checkout.
This is causing the module to think that the previous node is also part of current order.

Can anyone please confirm this bug?

Mat77’s picture

Getting the same bug:

I'm signing up 2 persons (one in the db, one i create the profil).
I complete the payment, users are signed up, good.

After that, i'm doing the same process.
But after i set the email addresses of the new subscriber, I can see the 2 first users info.

As TechnNikh said, it's a problem with the variable $_SESSION not being flushed after an order.

Any patch available?

Mat

Mat77’s picture

Found a way to get rid of it :

If you're using Atos/Sips module, in uc_atos.module, Line 104:

unset($_SESSION['cart_order'], $_SESSION['do_complete']);

I just added the uc_signup session:

unset($_SESSION['cart_order'], $_SESSION['do_complete'], $_SESSION['uc_signup']);

Work for now, but I didn't test every possibilities and it's a module hack, so a real solution would be better.

technikh’s picture

My temporary fix was,
I written a conditional action(Action: Execute custom PHP code) which triggers on "Trigger: Customer completes checkout".
The action performs this. unset($_SESSION['uc_signup']);
This fixed the problem.
is it necessary to unset these? $_SESSION['cart_order'] and $_SESSION['do_complete']

worked for now but not sure if this breaks something.

ezra-g’s picture

Title: bug with pending orders » Signups incorrectly finalized for all of a user's orders.
Version: 6.x-1.0-beta6 » 6.x-1.x-dev
Issue tags: -bug, -Ubercart, -integration, -signup

Thanks for pointing this out. I was able to replicate this behavior, and this is definitely something we want to fix.

Purchase nid 20, pay via check:

mysql> select * from uc_signup_log;
+-----+-----+-----+------+
| oid | sid | uid | type |
+-----+-----+-----+------+
| 100 | 148 | 1 | 0 |
+-----+-----+-----+------+
1 row in set (0.00 sec)

mysql> select * from signup_log;
+-----+-----+-----+--------------------------------+-------------+-----------+----------+---------------------+
| sid | uid | nid | anon_mail | signup_time | form_data | attended | count_towards_limit |
+-----+-----+-----+--------------------------------+-------------+-----------+----------+---------------------+
| 148 | 0 | 20 | placeholder-101826@example.com | 1307026814 | a:0:{} | NULL | 1 |
+-----+-----+-----+--------------------------------+-------------+-----------+----------+---------------------+
1 row in set (0.00 sec)

Purchase nid 4, pay via credit card:

At the attendee contact form, "Please enter additional information about this attendee." displays nids 4 *and* 20 .
Checkout with the new order for nid 4:

mysql> select * from signup_log;
+-----+-----+-----+--------------------------------+-------------+-----------+----------+---------------------+
| sid | uid | nid | anon_mail | signup_time | form_data | attended | count_towards_limit |
+-----+-----+-----+--------------------------------+-------------+-----------+----------+---------------------+
| 148 | 0 | 20 | placeholder-101826@example.com | 1307026814 | a:0:{} | NULL | 1 |
| 149 | 1 | 20 | | 1307026907 | a:0:{} | NULL | 1 |
| 150 | 1 | 4 | | 1307026907 | a:0:{} | NULL | 1 |
+-----+-----+-----+--------------------------------+-------------+-----------+----------+---------------------+
3 rows in set (0.00 sec)

mysql> select * from uc_signup_log;
+-----+-----+-----+------+
| oid | sid | uid | type |
+-----+-----+-----+------+
| 100 | 148 | 1 | 0 |
| 101 | 149 | 1 | 1 |
| 101 | 150 | 1 | 1 |
+-----+-----+-----+------+
3 rows in set (0.00 sec)

ezra-g’s picture

We need to remove the signup information from the session when checkout doesn't fail, and we need to verify that products in the session are actually present in the order.

ezra-g’s picture

Title: Signups incorrectly finalized for all of a user's orders. » Signups incorrectly finalized across orders when products from uncompleted orders remain in $_SESSION
ezra-g’s picture

Status: Active » Needs review
StatusFileSize
new2.92 KB

Here's a patch that in my testing corrects this issue in 2 ways: We check that all product nids in the session match product nids in the order, and we clear out the session when hook_order case 'submit' runs.

uc_signup_cart_view_form_submit() should make the data in the session more consistent with what's in the cart, but the submit handling currently in uc_signup is written to be compatible with Ubercart dev, or the upcoming 2.5 release.

It would be great to get feedback on whether this resolves the issue for you. In general, I plan to commit this.

ezra-g’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

technikh’s picture

Status: Closed (fixed) » Active

Similar problem still exists with "in checkout" orders

Steps to reproduce:
1) I added quantity 2 for an event in cart. clicked on checkout.
2) signedup myself and my colleague.
3) on the checkout page(https://example.com/cart/checkout) I went back to my cart, changed the quantity to 1 and clicked checkout
4) I see myself and my colleague in "Attendee Signup Information"

so I paid once for an event and I got signedup two people.
same thing with multiple products too..

ezra-g’s picture

Thanks for these steps. I will try to reproduce today.

ezra-g’s picture

Status: Active » Postponed (maintainer needs more info)

I'm unable to reproduce this behavior with the latest dev version of uc_signup. Can you confirm that you're using this version?

If so, I'd like to make myself available today to see this issue in your environment. Please find me in IRC as ezra-g or use my Drupal.org contact form to get in touch.

ezra-g’s picture

Also, please specify the version of Ubercart core that you are using.

technikh’s picture

Status: Postponed (maintainer needs more info) » Closed (fixed)

I updated to latest uc_signup dev version and this issue got fixed.

FYI
I didn't had this issue before with beta version.
I updated to dev version on 2011-06-11 and got this bug.
Finally the latest dev version fixed it. I didn't had to update ubercart or signup module.

ezra-g’s picture

Thanks for the followup - Glad that's resolved!