When two customers check out concurrently for the same product and the total quantity being ordered is greater than the quantity available, the stock can become negative even if the ‘Store Checkout’ setting under Stock is set to ‘no’.
We have reproduced this behavior on a single machine, by performing the above steps by simulating one customer in one browser window and another customer in a second browser window.
One of the two checkouts fails to complete.
Both checkouts succeed and the quantity for the product is negative in the admin console.
use your brain! its not hard to come up with a solution that does not involve coding!
@TWarszawski - when a customer arrives in checkout, it created an order in "Missing orders" status.
At that moment, the product is not "reserved" or subtracted from stock. Because it's not bought yet. If the payment fails, the product will still be available.
E.g. think about Paypal payment. To be able implement this in every payment module, they should pre-check the availability of the product in the moment of payment processing.
Or - must "reserve" the product during checkout, which is even more complicated.
This can be something "nice to have", but if someone has a neat solution, I would be eager to look up.
FYI from @TWarszawski and Peter Bailis' recent paper, concerning the voucher vulnerability #4812 which has been closed and comments blocked:
For example, in Magento [6], OpenCart [7], and Oscar [8], users can buy a single gift card, then spend it an unlimited number of times by concurrently issuing checkout requests.
The responses to these two tickets is baffling (and should be concerning to OpenCart users). I guess it will make for an entertaining slide at SIGMOD in a few weeks though.
no it can not. if the voucer i over its will it will return the order
status as fraud
On 13 April 2017 at 06:01, Brandon Simmons notifications@github.com wrote:
FYI from @TWarszawski https://github.com/TWarszawski and Peter Bailis' recent
paper http://www.bailis.org/papers/acidrain-sigmod2017.pdf, concerning
the voucher vulnerability #4812
https://github.com/opencart/opencart/issues/4812 which has been closed
and comments blocked:For example, in Magento [6], OpenCart [7], and Oscar [8], users can buy a
single gift card, then spend it an unlimited number of times by
concurrently issuing checkout requests.The responses to these two tickets is baffling (and should be concerning
to OpenCart users). I guess it will make for an entertaining slide at
SIGMOD in a few weeks though.—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
https://github.com/opencart/opencart/issues/4811#issuecomment-293720126,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AE2CzPkzF3N9PsDbuVLsMR8H5MX5ik7iks5rvUmqgaJpZM4Jug6Q
.
Hello Daniel (@danielkerr),
Clearly, based on their research (@TWarszawski) into the concurrent (ACIDRain) attacks on your product, the voucher can be misused before it is over.
Perhaps you have been a little bit too fast in responding to all the previous people mentioning this issue – without reading the full posts and related reports. No problem though, I understand, we are all busy.
Brendon (@jberryman) didn't talk about the expired (or already used) vouchers either. The problem relates only to the fast, concurrent attacks on the unspent vouchers.
Your further thoughts on this serious issue?
Kind regards,
Tomas J Stehlik