Problems handling user info

[Iker]

Hi,

I discovered some behaviour of Konakart that rather appears to be due to some bug:

1. If a user session is not terminated by performing a logout, then a different user logging in on the login page will inherit info of the previous user (basically, user is not refreshed after login). I consider this a serious issue regarding privacy!

2. In some cases we want to store different delivery/billing user info in the order, but not storing it as a new customer or address. So I made some customization to update user info in the order, however these modifications are not reflected in the checkout confirmation page (but does get saved in the DB), mostly because I guess the getFormattedAddress method doesn't use customer info from the order, but is hardwired to collect user info from user object and user's primary address. This behaviour seems to block some customization (I could display the correct data on checkout conf. page, but lost the formatting).

I hope this info helps to make Konakart an even better product.

[julie]

1. If a user session is not terminated by performing a logout, then a different user logging in on the login page will inherit info of the previous user (basically, user is not refreshed after login). I consider this a serious issue regarding privacy!

Could you be a bit more specific about which data is inherited ? Also could you check whether the problem you are seeing is in the latest version of KonaKart (i.e. our online demo).

2. In some cases we want to store different delivery/billing user info in the order, but not storing it as a new customer or address. So I made some customization to update user info in the order, however these modifications are not reflected in the checkout confirmation page (but does get saved in the DB), mostly because I guess the getFormattedAddress method doesn't use customer info from the order, but is hardwired to collect user info from user object and user's primary address. This behaviour seems to block some customization (I could display the correct data on checkout conf. page, but lost the formatting).

KonaKart allows you to have many addresses for each customer so if you use the standard mechanism, the formatting will be done for you. Otherwise you can always do your own formatting. You'll find the templates in the address_format table. Each country can have a different template. If one isn't defined then a default template is used.

[Iker]

1. Everything (the user's identity) is inherited, so if user abc logs in, does something, doesn't log out, only navigates to log in page, then user xyz logs in (enters his own credentials), then xyz will see all the orders of abc and not that of xyz, if attempts to make new order then it will be recorded under user abc etc.
This was tested in 2.2.4 and 2.2.6 and both mishandle the case.

2. My problem is that the data for the formatted address is not taken from the order object (where it was already populated at the beginning of the checkout process, but again from the customer and address objects), so all the modification done to the order object is not visible on the UI, only in DB.

[julie]

1. Everything (the user's identity) is inherited, so if user abc logs in, does something, doesn't log out, only navigates to log in page, then user xyz logs in (enters his own credentials), then xyz will see all the orders of abc and not that of xyz, if attempts to make new order then it will be recorded under user abc etc.
This was tested in 2.2.4 and 2.2.6 and both mishandle the case.

How do you manage to get to the Login page when a user is already logged in ? With our online application if the user is already logged in http://www.konakart.com/konakart/LogIn.do takes him to the "My Account" page.

[Iker]

We want the users to log in at the beginning, so the welcome page redirects to login.

But I think you are missing the point: IMHO with every login the user object should be repopulated according to the credentials presented.

[julie]

We want the users to log in at the beginning, so the welcome page redirects to login.

But I think you are missing the point: IMHO with every login the user object should be repopulated according to the credentials presented.

I think that you are missing the point. The welcome page shouldn't redirect to login if the user is already logged in. If you really want to do that (I can't understand why) then you should at least log out the current user in the struts action before logging in the other one.