Issue #1416 resolved

Contact getting hijacked when a new account is created

Anonymous created an issue

have a nasty bug where one of the rows in the contact_contact table is getting re-allocated to a new user.

It happens if I have logged in to the store in one browser window, and then (in another new window) I create a new account by browsing to /accounts/register/ . It doesn't happen if I log out first.

What happens in the db is that the original user that I was logged (who had his user profile all set up) "loses" his user profile. What has happened is that the 'contact' for that user no longer exists for him because it is now "pointing" at the new user. ie its user_id field is now pointing at the new 'id' in auth_user.

I haven't made any changes to the login code in Satchmo besides changing registration_form.html

Is it possible that the registration form is reading some of the user information from the POST request, and taking over the contact that belongs to the former user?

I reproduced the fault, and then did a 'diff' on the database. Here is the smoking gun:

+INSERT INTO "auth_user" VALUES(138,'newuser','New','User','y@n.org',...

-INSERT INTO "contact_contact" VALUES(1,'','Old','User',2,'Customer',NULL,'1999-01-01','x@n.org','','2012-04-30'); +INSERT INTO "contact_contact" VALUES(1,'','New','User',138,'Customer',NULL,'1999-02-02','y@n.org','','2012-04-30');

You can see clearly that a) record number 1 is being re-used, and that b) it is now pointing at the new user created with id 138.

I'm pretty sure this is a bug in Satchmo. Here's my fix: {{{

!python

diff -paurb src.orig//satchmo/satchmo/apps/satchmo_store/accounts/views.py src//satchmo/satchmo/apps/satchmo_store/accounts/views.py --- src.orig//satchmo/satchmo/apps/satchmo_store/accounts/views.py 2012-03-30 07:42:40.000000000 +0200 +++ src//satchmo/satchmo/apps/satchmo_store/accounts/views.py 2012-05-09 07:33:01.000000000 +0200 @@ -194,7 +194,7 @@ def register_handle_form(request, redire if request.method == 'POST': form = RegistrationForm(request.POST) if form.is_valid(): - contact = form.save(request) + contact = form.save(request,force_new=True)

         # look for explicit "next"
         next = request.POST.get('next', '')

}}}

Comments (1)

  1. Log in to comment