1

Currently we have the problem, that users can buy/put products in the cart that they should not, because we have a function which is listening to the event checkout_cart_product_add_after. This Event is for example triggerd, if you try to add a product to the cart from the product detail page, or via URL (https://www.foobar.de/checkout/cart/add/product/1337/form_key/adsfXXddeee/).

Do you have a idea how the users can do this? Is this a known Magento bug?

PHP 5.6.x M1.9.2.4

Improve this question

1 Answer 1

Reset to default
1

What I can think of:

  • added as related product. It might even be possible to get any product added as related product if the id is known, I'm not sure how they are validated
  • if the product was buyable before: reorder from customer account or login as customer with saved cart
Improve this answer
2
  • > added as related product. It might even be possible to get any > productadded as related product if the id is known, I'm not sure how they > are validated How would you do this, if related products are not available? > if the product was buyable before: reorder from customer account or > login as customer with saved cart This was not the case. The current plan is to use also the event sales_order_save_before and remove the product from the quote in this event, but if feels like a hack... Commented Mar 25, 2016 at 18:37
  • You can probably manipulate an add to cart POST request to contain related_products[]=42 to add the product with id 42 together with the current one Commented Mar 25, 2016 at 19:49

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.