Possible To Purchase Non-Available Products

[jakemumu]

Users may add non-available products to cart and purchase them.

Solidus Version:

I'm on 2.11.10 but I checked master and the issue is still there.

To Reproduce

Step 1: Go to an add to cart form
Step 2: Open HTML & Edit the Cart Form Variant ID
Step 3: Add to cart

Current behavior

If the ID is for an unavailable product, it Is still added to cart and able to be purchased.

Expected behavior

Unavailable product should display a flash warning and redirect_back

[kennyadsl]

I think you are right, seems to be currently only related to some presentation logic. Maybe we can make this more clear in the guides?

[jakemumu]

That's an alright solution however my products are digital and don't have stock items, and are marked as so in the backend, so they're able to be added with no stock items.

The first date the product becomes available for sale online in your shop <- just going by the docs, it's not true because these products are available for sale before the date, they're just not in the lists.

In my opinion this is a bug & a security / confidentiality flaw, we've had customers find and ask us about unreleased products through it.

Definitely okay either way, I'd hate to add more to the configurations but, allow_unavailable_products_in_cart seems like it would be a good flag here.

If we came a consensus I'd be happy to try to patch whatever our decision is here as my first solidus contrib : )

[kennyadsl]

Maybe it's just a matter of making the AvailabilityValidator more configurable. So that here, it will use a configurable class (like Spree::Config.line_item_availability_validator_class) instead of that one directly.

This way anyone can easily inherit from the default and add whatever they think makes more sense for their business.

Keep in mind that this class runs at the end of the checkout process, so it would allow to add things to cart but won't allow to complete the order.

[jakemumu]

Ohh wow I had never see that class -- that does seem like a clean solution however it would only makes sense if it ran as part of the populate function in the order frontend controller -- what if we added a call to this there?

[kennyadsl]

This discussion reminded me about something and I found this other issue: #2154 (comment).

We've been stuck there but I think there's an easy fix suggested in the comment I linked. Do you think we should provide something out of the box for this? Maybe adding some line of documentation in the guide could be enough?

[jakemumu]

I think that adding validates_with Spree::Stock::AvailabilityValidator, if: { !order.completed? } to the LineItem out of the box would be the expected behavior.

At least for my case -- this isn't so much about changing frontend behavior or functionality -- but rather securing the shop from allowing users to "hack" their way into adding hidden products to the cart.

[jakemumu]

Let me take another look at the populate function this afternoon and have a think about any other approaches. I think adding something to the docs would be helpful -- but also I think generally -- supporting Solidus as a well documented engine which prefers configurations over overrides makes sense, just because for lesser experienced engineers, it's kind of the only approach which makes Solidus useable.