djangosatchmo

Contact getting hijacked when a new account is created


In my Satchmo project, I have a nasty bug where one of the rows in the contact_contact table is getting re-allocated to a new user.

It happens if I have logged in to the store in one browser window, and then (in another new window) I create a new account by browsing to /accounts/register/ . It doesn't happen if I log out first.

What happens in the db is that the original user that I was logged (who had his user profile all set up) "loses" his user profile. What has happened is that the 'contact' for that user no longer exists for him because it is now "pointing" at the new user. ie its user_id field is now pointing at the new 'id' in auth_user. The contents of the contact record get overwritten with the new user's info.

I haven't made any changes to the login code in Satchmo besides changing registration_form.html

Is it possible that the registration form is reading some of the user information from the POST request, and taking over the contact that belongs to the former user?

I reproduced the fault, and then did a 'diff' on the database. Here is the smoking gun:

+INSERT INTO "auth_user" VALUES(138,'newuser','New','User','y@n.org',...

-INSERT INTO "contact_contact" VALUES(1,'','Old','User',2,'Customer',NULL,'1999-01-01','x@n.org','','2012-04-30');
+INSERT INTO "contact_contact" VALUES(1,'','New','User',138,'Customer',NULL,'1999-02-02','y@n.org','','2012-04-30');

You can see clearly that a) record number 1 is being re-used, and that b) it is now pointing at the new user created with id 138.

Many thanks, Thomas


Solution

  • I'm pretty sure this is a bug in Satchmo. Here's my fix:

    diff -paurb src.orig//satchmo/satchmo/apps/satchmo_store/accounts/views.py src//satchmo/satchmo/apps/satchmo_store/accounts/views.py
    --- src.orig//satchmo/satchmo/apps/satchmo_store/accounts/views.py    2012-03-30 07:42:40.000000000 +0200
    +++ src//satchmo/satchmo/apps/satchmo_store/accounts/views.py   2012-05-09 07:33:01.000000000 +0200
    @@ -194,7 +194,7 @@ def register_handle_form(request, redire
         if request.method == 'POST':
             form = RegistrationForm(request.POST)
             if form.is_valid():
    -            contact = form.save(request)
    +            contact = form.save(request,force_new=True)
    
                 # look for explicit "next"
                 next = request.POST.get('next', '')