DragonByte eCommerce 1.3.4.1

Change log

Fix: Fix a race condition where viewing another user's pending order could remove their items from cart

Release notes

This is a re-release of v1.3.4 (which has also been patched) to fix an issue that could lead to data loss.

Given following scenario:
  • Another user's order is pending
  • The current viewing user is the owner of a product in the other user's cart (and thus can't purchase it)
  • The current viewing user visits the order log in the Admin control panel
In the above scenario, any order items whose products are owned by the current viewing user would be silently removed from the other user's cart.

The reason this occurred is that every time the order total is calculated for pending orders, the order items are validated to ensure that the user has the permission to buy the item in question.
This permission check did not ensure it was taking the buyer's permissions into account, so permissions were checked incorrectly.

The problem only revealed itself because of the Order log in the AdminCP, which is currently the only way it is possible to view another user's current pending order.

To clarify: The existing v1.3.4 release has also been patched, so if your eCommerce license has expired since the release of v1.3.4, you can re-download that version to obtain the fix.
  • Like
Reactions: Liam W
Top