[solved] Serious bug relating to searches & Shopper Groups

Started by antonitus, May 06, 2012, 18:35:56 PM

Previous topic - Next topic

antonitus

I think I found a serious bug in relation to Shopper Groups and searching, either using the 'VirtueMart Search Product' or the Joomla search module.

For example, I've set up 2 Shopper groups, for each shopper group, I've set up 2 of the same individual products with different prices for each shopper group.   For example, let me expand:-  'Shopper Group A' belongs to product list of 'Product A' and 'Shopper Group B' belongs to product list of 'Product B'.  The public (non-logged and with no special shopper group privileges) can only see 'Shopper Group A' with products belonging to 'Product A' and no other shopper group can see other shopper group products.  Now when someone who belongs to 'Shopper Group B' logs in, they will only be seeing products belonging to 'Product B' and nothing else.  This all works very well and as predicted.

However, the problem seems to lie when someone (whether logged in or not) goes to do a search for a product (either using the 'VirtueMart Search Product' module or the Joomla search module), will list all the products in both 'Shopper Group A' and 'Shopper Group B'.  Now this is not good as product prices of the same product will have different prices that only chosen Shopper Groups can see (1 shopper group used for the public and the other shopper group for wholesale).  This way, anyone who does not belong to that Shopper Group could buy the product at a reduced price (wholesale price) and this is not good for business.  The only way I can overcome this is if I remove any form of searching on the website, which I do not want to do.

Has anyone come across this?  If not, then there is a critical bug with Shopper Group functionality and the devs probably forgot to add code to overcome this issue (simple mistake to overlook I presume).
Joomla V3.5.1
Virtuemart V3.0.16

antonitus

#1
I also noticed another issue with Shopper Group permissions.  If someone checks out with products that 'Shopper Group A' can only see (see explanation above, previous post) and he/she logs in with 'Shopper Group B' permissions only, they can still purchase products for the eyes of 'Shopper Group A' only as well as whatever products are in 'Shopper Group B' permissions.  This again is wrong and not be allowed to be purchased.  Products in Shopper groups that are not allowed to be viewed should automatically be removed from the cart.

Does anyone else agree with this?  The devs should look into this as it is a very important security issue in relation to what products belong to what shopper groups, otherwise what's the point of shopper groups if they do not work properly.
Joomla V3.5.1
Virtuemart V3.0.16

antonitus

Are there any VM developers who would like to comment about this as I feel it is a very important issue.  I'm surprised no one has an issue with this or they just cannot see it, maybe.
Joomla V3.5.1
Virtuemart V3.0.16

Milbo

#3
Even not reading this post, the first thing I think is why you did no posted it to the developer subboard, when you think it is important to the developers. and now I will read more than just the topic and the last post. ha :-)

Edit: Just by reading the topic, I got bolted. Yes, we just forgot it. But for the other thing. I wonder if it is actually necessary. When someone logs out the cart is deleted anyway, so I wonder how you did it.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

antonitus

Hi Milbo,

Sorry about the confusion and where to post it, I'm quite new with this Forum.

I think I made a mistake, what I meant to say about the second part (other thing), was that because there is a permissions shopper group problem, when you do a search, all shopper group products are listed (whether logged in or not), as stated in my first message.  Now when you select a product from another shopper group (because of this search problem), it allows you to add it to the cart, even though you added another from the default shopper group set in relation to logged in account and subsequently, a user can buy a product from,  say, 'Shopper Group A' AND 'Shopper Group B.  Once you log out, you're correct, it disappears from the cart, as normal.

Do you think, this shopper group permissions issue will be fixed in the next issue? Am I the only person to have spotted this as I couldn't find it anywhere  on the forum (unless I overlooked it).

Also, as I have your attention, I'd just like to say what a brilliant script this is, especially the new VM2 version, it feels more user friendly compared to VM1 and is packed full of very useful features that VM1 does not have and I just love it.  It was not smooth sailing at first and that was mainly to do with me learning how to use it again and not understanding certain things.   So really, what I wanted to say was thank you very much for your time in bringing this script to the community.  And sorry, once again, I just wanted to say that I still use VM1.1.9 because of the many plugins that yourselves and 3rd party developers have done. I'm hoping one day soon that VM2 will have many more useful plugins available like VM1.
Joomla V3.5.1
Virtuemart V3.0.16

antonitus

#5
Ah, another thing I noticed is that if you log in with one shopper group permission viewing a product in detail view and you log off, the product that was in, say Shopper Group B (previous shopper group) is still shown in the details page even in another shopper group, say, Shopper Group A.  Obviously this shouldn't occur in a logical manner.  I then added this product into the cart and logged in under a shopper group that doesn't have permission to view this product.  It then allowed me to proceed all the way to payment section and then to PayPal as if I was buying it.  I know this situation may not exist in the real world, however  it might occur for some strange reason, like when someone searches all products (if this part is not fixed).  Just thought I'd let you know the scenario for you to test.
Joomla V3.5.1
Virtuemart V3.0.16

Milbo

Hmmm, neither joomla nor virtuemart search I am able to see a product for another shoppergroup.

But I was able to find the product, when I know the id, even I am not in the right shoppergroup. I added now a check, but atm it gives back 404.

The question is, if this is desired, that searchengines just get a 404.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

antonitus

#7
I was just about to let you know that if you do know, say Shopper Group A's product URL and you're logged in as Shopper Group B, then you will be able to see Shopper Group A's product and will allow you to add it to the cart. My eyes popped out, well not literally, ... nearly though.

As for the search part, I used this direct URL in any logged in shopper group to view all searches, that contained, for example, "Hive":

Quoteindex.php/shop/search?keyword=hive&limitstart=0&option=com_virtuemart&view=category

This was my test as I have now removed all forms of searching for now.

Milbo, I'm glad you found an issue with this.  A 404 error would be better than it is now.

=======

P.S. I've attached a screenshot of being logged in Shopper Group A products.  You can see that I can add a Shopper Group B product if I know URL and when I do search or add above search URL.  You can see the price difference which could be dangerous.

[attachment cleanup by admin]
Joomla V3.5.1
Virtuemart V3.0.16

Milbo

Please use the svn and download the latest product model. Furthermore please use the latest version 2.0.7a
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

antonitus

#9
Milbo, well done, you fixed the shopper group issue and it seems to work nearly perfectly.  I tried both VM Search and Joomla Search modules and it outputs a 404 error which is good.  The VM Search only shows the products in each shopper group which is perfect, but the Joomla Search shows all products in all shopper group products in relation to the search field. The good thing about this is that when you click on a product from another shopper group, it returns the 404 error, once again great. It would be nice to not show those products in other shopper groups, but I suppose that is controlled by the Joomla core.

Although, I think I found another bug with this.  When I updated the script to V2.0.7b, the existing child products did not take on the characteristics of the parent product, in terms of the, description and product images, i.e. they get deleted during the update process.  The 'Product Dimensions and Weight' seems to be fixed.  However, when you add a new child product, all is ok as usual, it takes on the description and product images of the parent product.

Also, I'm happy to say that the 'Categories' and 'Shopper Groups' are not deleted anymore when you save the parent product.  It's looking good so far.

Oh and once more, I did notice the new 'Notify Me' layout, however this just doesn't work as it still reports the 500 error when you try to notify a user.  I did find a fix for this from a user called seyi and it works perfectly with no more 500 errors, so this is maybe something to look into too
The post is: http://forum.virtuemart.net/index.php?topic=101933.0.

### UPDATE ###

I didn't want to start a new topic on this as it relates to the V2.0.7b features.

I found another possible issue with parent/child product. 
In the products list, when you un-publish a child product by clicking the green tick icon, it un-publishes it , which is fine, however when you get into the parent product, under the list of child products, the child parent that I unpublished , does not take on un-publish characteristic, it still shows it being ticked and published.  If you save the parent product, it will then publish the child product if overlooked.  After further tests, the issue seems to lie with the list of child products in the parent product, it doesn't allow you to un-publish a child product, it kind of gets stuck to published.

Thanks,
Tony
Joomla V3.5.1
Virtuemart V3.0.16

richdean77

Is there any way to update from 2.0.6 to 2.0.7a without breaking the template's css for category view and product view? I am using a template I purchased from Monster Template and they are telling me I can't upgrade from 2.0.6 to 2.0.7a as they are incompatible?