customers can order 7 items that have 5 items in inventory.

CommentFileSizeAuthor
#1 cart-5.x-3.x-dev-checkstock.patch842 bytesdjflux

Comments

djflux’s picture

Title: Quantity can be bypassed » Quantity can be bypassed - cart allows adding more items than are in stock/inventory
Component: tangible » cart
StatusFileSize
new842 bytes

I believe this issue to be more than just a tangible issue. I've applied the attached patch and it will place a warning on the site and not allow the items to be added to the cart.

djflux’s picture

Also check the patch here: http://drupal.org/node/141237

I've applied both to the 2007-05-11 tarball of 5.x-3.x-dev

djflux’s picture

Status: Active » Needs review

Sorry ... changing status to patch

TheRevolution.US’s picture

This does keep products that are already sold out from being added to the cart but there are three loopholes that will still add more items to cart than there are items in inventory. For these examples assume there is one item in inventory and you have already added it to your cart.

One way to add an extra item is by simply clicking the "add to cart" button again.

The second way is by clicking the "add" link in the "Products in cart" area which appears after adding the initial item.

The third is by updating the "quantity" field on the cart page.

Each of these allow for someone to accidentally add more items than are in inventory, therefore making this patch barely better than unpatched. This has been outstanding for a long time and I would love to see this fixed as it makes the entire ecommerce package unusable to people selling things in limited quantities, such as myself.

Thanks, Eric

djflux’s picture

Eric,

I believe the way the item quantity works is that it is not decremented until the item is in the shipped workflow status, or the transaction workflow status is set to complete(d) (I have to double check which one ... can't remember off the top of my head).

But, decrementing the count immediately could allow a malicious (or just oblivious) customer to go through your store and place all your stock in the cart, leaving no product available for other customers, effectively DOS'ing your inventory. Also, I think the default timeout for cart contents is something like 1 day, meaning someone could add products to their cart and abandon the transaction, but leaving some/all of your store's items in the cart and unavailable for purchase.

I believe the behavior of not decrementing inventory count when the item is added to the cart was a design decision (correct me if I'm wrong Gordon, or other EC developers). You could modify the code to decrement the inventory count as soon as the item is added to the cart, but if you do make that change, I'd recommend also changing the timeout of cart contents to something like minutes or hours instead of days.

I might actually do those changes myself depending on the outcome of a meeting I'm going to have with one of my partners. If we decide to go that route (decrementing inventory when it's added to the cart), I'll post a patch to this issue, as well as probably open another. These patches will be against 5.x-3.x-dev because that is the version of code we have decided to run on our production site.

TheRevolution.US’s picture

Thanks djflux that helps put things in perspective quite well.

Do you know if there would be a way to have the cart timeout after a time of inactivity of the session that loaded the cart in the first place? Having the cart emptied after 5 minutes of no page loads from that person's IP for example.

Also could you verify that this does in fact make ecommerce useless to those with limited stock?

Is this addressed in other cart software in a standard fashion?

Thanks Again, Eric

royal007’s picture

any updates to this??, this still hasn't been fixed.

mfb’s picture

Would be useful to have a configurable cart time limit. I've seen theater ticket sites that reserve your ticket as soon as you add to cart, but put a 15-minute counter on the page, counting down second-by-second, so you know you only have 15 minutes to checkout after adding the tickets to cart.

brmassa’s picture

Guys,

our next version, the eC4, will have the eC Availability module that will handle this issue. untill then... no solution. sorry

regards,

massa

royal007’s picture

where can i try the ec4 dev, i have looked but can not find it.

thanks

brmassa’s picture

Status: Needs review » Fixed

royal007,

eC4 is, yet, only on our CVS.

you can get it using:
1* a CVS client
2* repository ":pserver@cvs.drupal.org:/cvs/drupal-contrib"
3* module "/contribuition/modules/ecommerce"
4* tag "DRUPAL-5--4"

soon we will publish the dev code as a beta.

regards,

massa

Anonymous’s picture

Status: Fixed » Closed (fixed)
Thomas Sewell’s picture

See also http://drupal.org/node/119230#comment-711738 for a combined patch that includes fixing the update cart button.