Contact getting hijacked when a new account is created
28 views
Skip to first unread message
Thomas
May 8, 2012, 8:29:22 AM5/8/12
to satchm...@googlegroups.com
Hi,
I have a nasty bug where one of the rows in the contact_contact table is getting re-allocated to a new user.
It happens if I have logged in to the store in one browser window, and then (in another new window) I create a new account by browsing to /accounts/register/ . It doesn't happen if I log out first.
What happens in the db is that the original user that I was logged (who had his user profile all set up) "loses" his user profile. What has happened is that the 'contact' for that user no longer exists for him because it is now "pointing" at the new user. ie its user_id field is now pointing at the new 'id' in auth_user.
I haven't made any changes to the login code in Satchmo besides changing registration_form.html
Is it possible that the registration form is reading some of the user information from the POST request, and taking over the contact that belongs to the former user?
Many thanks
Thomas
Thomas
May 8, 2012, 10:03:21 AM5/8/12
to satchm...@googlegroups.com
I reproduced the fault, and then did a 'diff' on the database. Here is the smoking gun:
+INSERT INTO "auth_user" VALUES(138,'newuser','New','User','y...@n.org',...
-INSERT INTO "contact_contact" VALUES(1,'','Old','User',2,'Customer',NULL,'1999-01-01','x...@n.org','','2012-04-30');
+INSERT INTO "contact_contact" VALUES(1,'','New','User',138,'Customer',NULL,'1999-02-02','y...@n.org','','2012-04-30');
You can see clearly that a) record number 1 is being re-used, and that b) it is now pointing at the new user created with id 138.
Thomas
May 9, 2012, 1:42:20 AM5/9/12
to satchm...@googlegroups.com
I'm pretty sure this is a bug in Satchmo. Here's my fix:
diff -paurb src.orig//satchmo/satchmo/apps/satchmo_store/accounts/views.py src//satchmo/satchmo/apps/satchmo_store/accounts/views.py
--- src.orig//satchmo/satchmo/apps/satchmo_store/accounts/views.py 2012-03-30 07:42:40.000000000 +0200
+++ src//satchmo/satchmo/apps/satchmo_store/accounts/views.py 2012-05-09 07:33:01.000000000 +0200
@@ -194,7 +194,7 @@ def register_handle_form(request, redire
if request.method == 'POST':
form = RegistrationForm(request.POST)
if form.is_valid():
- contact = form.save(request)
+ contact = form.save(request,force_new=True)
# look for explicit "next"
next = request.POST.get('next', '')
Chris Moffitt
May 9, 2012, 3:22:47 PM5/9/12
to satchm...@googlegroups.com
Could you open up a ticket and include this patch, along with the method to reproduce. I'll take a look at it.
-Chris
--To view this discussion on the web visit https://groups.google.com/d/msg/satchmo-users/-/U78SQFRryXAJ.
You received this message because you are subscribed to the Google Groups "Satchmo users" group.
To post to this group, send email to satchm...@googlegroups.com.
To unsubscribe from this group, send email to satchmo-user...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/satchmo-users?hl=en.
hynekcer
May 10, 2012, 4:57:07 AM5/10/12
to Satchmo users
Thomas, are you sure that you can edit your user profile without
creating a new contact everytime you edit anything? I'm afraid that
the fix can create a new issue.
In general:
Preserving the cart is a contrary against clean registration and if
you write a fix you should think of both.
I think that the right solution (if anyone has time) is:
1) Upgrade Satchmo for using the new class based django-registration.
2) Customize creating of new account so that:
- if a user is logged, new session is started (in order to not mix
contacts, carts etc.)
- if no user is logged, continue with the same session (in order to
preserve cart etc.)
3) look at threadlocals caching and clear session related things if a
new session is started.
Upgrading django-registration is more effective, otherwise a fix for
the old one must be soon rewritten again.
Maybe the point 1) will be sufficient.
--Hynek
creating a new contact everytime you edit anything? I'm afraid that
the fix can create a new issue.
In general:
Preserving the cart is a contrary against clean registration and if
you write a fix you should think of both.
I think that the right solution (if anyone has time) is:
1) Upgrade Satchmo for using the new class based django-registration.
2) Customize creating of new account so that:
- if a user is logged, new session is started (in order to not mix
contacts, carts etc.)
- if no user is logged, continue with the same session (in order to
preserve cart etc.)
3) look at threadlocals caching and clear session related things if a
new session is started.
Upgrading django-registration is more effective, otherwise a fix for
the old one must be soon rewritten again.
Maybe the point 1) will be sufficient.
--Hynek
Thomas
May 10, 2012, 5:11:24 AM5/10/12
to satchm...@googlegroups.com
Hynek, I've just done a quick test. I dumped the db, and then made some changes to a profile. After that I dumped the db and did a diff between the two. There was no new record created in contact_contact.
The only tables that were updated were:
auth_user, contact_contact, and contact_addressbook. Definitely nothing new in contact_contact.
Also a new record was added to contact_addressbook for default shipping address, but I think that would be expected, because the account had never made a purchase before, and this record normally gets added then.
Let me know if I can do any more tests for you.
Regards,
Thomas
Reply all
Reply to author
Forward
0 new messages