Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logged in backend user overrules frontend user session when retreiving basket #226

Open
Physikbuddha opened this issue Nov 12, 2024 · 1 comment
Open

Logged in backend user overrules frontend user session when retreiving basket #226

Physikbuddha opened this issue Nov 12, 2024 · 1 comment

Comments

@Physikbuddha
Copy link

This issue is not easily explained in two sentences.

While testing our website shop running Aimeos, I created a fresh, new frontend user and logged myself in. We are not using the frontend user creation feature of Aimeos, but have our own registration process on top.

I put an item in the basket and proceeded to the checkout flow.
I noticed that for some unknown reason during the "Enter Address" step, none of the radio buttons to choose an address was selected, so I tried to click Next without checking anything to see what will happen.
I was expecting an error message, but the checkout process just went on to the next step (Payment method).

This behaviour is not really wanted, but let's keep that aside for a second.
When I got to the "Summary" step, I was expecting an empty "Invoice address", since I didn't check any.
However, the summary step was showing the full address of the user that was logged in previously.

To make things short, I did some research and debugging into this.
It turned out, that the same basket from the previous user was recycled for the newly created user.

Why did this happen?
Well, it's because I was still logged in into the TYPO3 backend with the same backend admin user.

To fetch the frontend user's basket, a $key is generated using $key = $token . '-' . $sitecode . '-' . $language . '-' . $currency . '-' . $type;.
$token is fetched from the current logged in user's session.

The code responsible for fetching the token resides in aimeos/aimeos-typo3/Classes/Base/Context.php->addToken().

However, before fetching the frontend user's ID, a check to the current session is made whether it already contains a token.
When there's an active backend login, the token of that backend user will be returned.

This behaviour is unexpected in my eyes. I would expect an Aimeos basket being tied to the current frontend user, not the backend one.
@aimeos
Copy link
Owner

aimeos commented Nov 13, 2024

Guess, the main problem is that the context prefers TYPO3 backend sessions over frontend sessions:

aimeos-typo3/Classes/Base/Context.php

Lines 272 to 275 in c2d9c19

if (isset($GLOBALS['BE_USER']) && !($GLOBALS['BE_USER'] instanceof $class)) {
$session = new \Aimeos\Base\Session\Typo3($GLOBALS['BE_USER']);
} elseif (isset($GLOBALS['TYPO3_REQUEST']) && ($user = $GLOBALS['TYPO3_REQUEST']->getAttribute('frontend.user'))) {
$session = new \Aimeos\Base\Session\Typo3($user);

If I remember correctly, this was done to avoid security issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aimeos @Physikbuddha