Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Please tell me how this happens...


Supertex

Recommended Posts

@@burt @@kymation @@Jack_mcs

 

Ok...I have a few customers that I create carts for.  So far, I just go to the database, copy their pw hash, save it, and drop the hash from my own account in its place.  Then I can log into their account as them, and create a cart.  Then I log out and replace the hash.  They then log in, and finish out the order with shipping and payment.

 

I've done this on numerous occasions for about 5 different customers.  

 

Yesterday, I did this, and the customer's order had MY discounts applied.  Also, I got the order email that he should have gotten.  I was really confused as to how this could happen, but today, when I went to the DB to look closely at the order...I see my own customer ID, yet everything else on the order was from his account.  

 

I do know that he logged in very soon after I logged out...within minutes.  I was logged in on another tab, to the admin.  Is it possible, that the session somehow carried over to his login??  Any idea what caused this?  What would happen if he was logged in and I went through the above steps?

 

I have the "create order" addon, but that creates a FINISHED order, and I need for the customer to be able to select shipping and payment, THEN complete the order.  Is there a better way to add items to a customer's cart from the admin side?

 

 

Link to comment
Share on other sites

Firstly let me say this:  "how you run your business, is your business".  From a 3rd party point of view, this procedure of changing passwords could turn out to be a real problem in terms of sanity of data.  Put bluntly, it's not something I would be recommending anyone to do such a thing.

 

You should explore a way (inside admin) to;

 

1.  select a client

2a.  view clients saved cart, and update clients saved cart id required (remove/edit already saved products, add new products)

2b.  add a cart (and contents) to a client if no saved cart exists

3.  send email to client

 

I am unsure if such an Addon already exists, and if it does, what standard of code it contains. 

There is one similar called "recover cart" or somesuch, I am not 100% sure if that allows to edit a clients cart.

Link to comment
Share on other sites

Firstly let me say this:  "how you run your business, is your business".  From a 3rd party point of view, this procedure of changing passwords could turn out to be a real problem in terms of sanity of data.  Put bluntly, it's not something I would be recommending anyone to do such a thing.

 

I could not agree more.  And this specific problem (potentially the least among many much larger ones) should be reason enough.  I won'

t  be offering this "service" any longer, until I can find an addon to handle it.

Link to comment
Share on other sites

This does sound like a session issue. Otherwise, I agree with @@burt -- this is a high-risk process. Unfortunately I don't know of a better way to do it. It may take some custom code.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

Link to comment
Share on other sites

I could not agree more.  And this specific problem (potentially the least among many much larger ones) should be reason enough.  I won'

t  be offering this "service" any longer, until I can find an addon to handle it.

We use master password for existing accounts and a guest checkout for new customers.

Link to comment
Share on other sites

Data Protection is also a factor to be considered.  Master Password can potentially give you access to data that you (shopowner) have no right to.  Watch out for PCI compliance, I'm looking at 10.2.2 and 10.2.5 - where an audit trail is required for those with unusual access (eg master password).

 

I reiterate...do it right and all is well.  Take shortcuts and things can go fubar quickly.

Link to comment
Share on other sites

I guess every situation can require different needs.  In my case I'm logging in becaue of a phone order typically, and complete the order while their on the phone.  I'm also given the CC over phone in which I enter it.  I use Authorize.net AIM and have for over a decade.  I don't store any cc data in any way.  I'm also the only person that has this access.  I don't exactly see a difference in doing this versus doing through the admin panel from a PCI standpoiint.  Another advantage of doing this for me is I take the customer route through the site for all these orders, which I find helpful. 

I'm not really a dog.

Link to comment
Share on other sites

Master password might be more of a "frontside" solution, but sounds to me like it's just an automated way of doing exactly what I was already doing...and comes with the same risk(?).  Something  I couldn't find before (the way the addon section returns results is somewhat peculiar to me) is the "populate cart" addon.  However, it was designed for 2.2, so I have no idea how well it will work with 2.3...if at all.

 

We'll soon see.

 

And not that it matters, but I don't allow the entry of financial data on the site at all.  That's all handled at PayPal.  So there's no data within the customer account or the DB, that isn't already visible in the admin, or on orders.  Regardless, I will no longer make use of this practice - even sparingly.

Link to comment
Share on other sites

Doesn't order editor/create order allow you to do all this without having to use the customer password?  I know one of the contributions handles it and I think that's the name of it. ..we use it all the time to handle phone orders or local customer who want to pick up.  If you can't find it let me know and I'll have a closer look at the module we use.

 

Dan

Link to comment
Share on other sites

Hi Dan.  I actually have Order edit/create installed.  However, it creates a completed order with no options for paying out.  I -could- compile a PP 'bill' to send to my customers, but that addon also has some issues with the OT Quantity Discount module, which I rely heavily upon.  I haven't had time to try and iron out the discount module compatibility, but since the editor only created 'completed' orders, I really haven't seen much point.  Actually, at this point, I would have uninstalled it, but that lil dude is weaved in there deep enough that I just decided to leave it alone.

 

So far, I have the Populate Cart addon adapted to 2.3 and working - for the most part.  I haven't looked at the 'products with attributes' section of it yet, but from what I see so far, it does -exactly- what I need, and all from the admin.  Changes can even be made to the cart while the customer is logged in - they just have to log out-in to see it.

 

:)

Link to comment
Share on other sites

@@Supertex

 

Hummm....not sure what you mean Shawn...the version we use allows you to edit the order too so you can add or change items etc.  We don't usually start an order and then let the customer login to complete it so maybe that's where the difference lies.

 

Dan

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...