logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error
Editing description store site by anonymous user
Options
Go to last post Go to first unread
Previous Topic Next Topic
judy at Web2Market  
#1 Posted : Thursday, November 9, 2023 8:12:35 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 289

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
We have a 9.0.6 site where product descriptions have been disappearing and I have put in logging in about 45 places to figure out where it is happening and who is doing it.
On the first day of logging, we had a description disappear via an edit via CMS store side and the username was an anonymous guid- the user id was one that bots use.
Is there any constraint on saving edits from store side other than hiding the sections that can be edited? I'm wondering if maybe they somehow were able to bypass the code that saves the edited portion.
I looked at the user in the pageviews and it was a post on the page with useragent of Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Back to top

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.
Back to top  
Katie S  
#2 Posted : Thursday, November 9, 2023 3:00:36 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 423

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Judy,

Thanks for bringing this to our attention. About 2 months ago, this happened to a client of ours as well. There were about a dozen product descriptions just missing. I never could figure it out and it happened just one time with one client so I never looked into further.

I have alerted the dev team. This is obviously serious, and I thank you for providing this information.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Back to top
shaharyar  
#3 Posted : Friday, November 10, 2023 4:02:36 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 703

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Hi Judy,

Quote:
I looked at the user in the pageviews and it was a post on the page with useragent of Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36


Can you please share the URL of the page on which you suspect the post request was sent?
Back to top
judy at Web2Market  
#4 Posted : Friday, November 10, 2023 7:04:40 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 289

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Well, I'm glad in a way that it wasn't just me. I almost didn't post this because I thought I wouldn't be believed.

Here is the entry from pageview table. I have taken the cms widget off the front side of the store so you can't test or anything.
2023-11-08_16-06-08.png (21kb) downloaded 12 time(s).

I don't really want to post the url of the site in case it is picked up by someone who wants to hack it.
Here is the log entry (part of description omitted)
Debug: No description for ProductId: 7366 edited by d3f8eb21-c7de-48a3-954a-5bfd14e6d4c1 on 11/8/2023 8:53:35 PM. Old description was <h2>10-Inch Network Display with Active Imaging HD Sonar!</h2>
<p><b> “See more and catch more” with Lowrance’s HDS PRO!... Edited via CMS Edit Description
Here is where I put in the code

[HttpPost]
public ActionResult ProductDescription(ProductDescriptionModel model)
{
var product = _productRepo.Load(model.ProductId);
//jme 110723 log and email missing description
string oldDescription = product.Description;
string newDescription = "";
string username = AbleContext.Current.User.UserName;
string context = "CMS Edit Description";
product.Description = model.EditableData;
_productRepo.Save(product);
newDescription = product.Description;
if (string.IsNullOrEmpty(newDescription) && !string.IsNullOrEmpty(oldDescription))
{
W2M_ProductHelper.LogMissingDescription(product, username, oldDescription, context);
W2M_ProductHelper.SendMissingDescriptionEmail(product.Id, username, oldDescription, context);
}
return Json(new { Successful = true, ContentId = product.Id });
}
Back to top
judy at Web2Market  
#5 Posted : Wednesday, November 15, 2023 6:52:07 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 289

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Even through I had taken the CMS layout widget out of the baselayout, someone was still able to delete the description. Maybe the page was cached somewhere. Anyway, yesterday I commented out the guts of the method above so that no product changes were saved and we haven't got any new anonymous edits since then. I'm hoping that fixed it for once and all.
Back to top
shaharyar  
#6 Posted : Wednesday, November 15, 2023 7:01:54 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 703

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Hi Judy,

Sorry about the problems related to the description being edited anonymously. Please follow the steps to fix the issue.

1- Open file \Website\Controllers\ProductController.cs
2- Search for
Code:
[HttpPost]
public ActionResult ProductDescription(ProductDescriptionModel model)

3- Replace with
Code:
[AbleAuthorize(Roles = "System,Admin,Manage Catalog")]
[HttpPost]
public ActionResult ProductDescription(ProductDescriptionModel model)

4- Compile the code


Regards
Back to top
Katie S  
#7 Posted : Thursday, November 16, 2023 2:10:18 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 423

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Judy,

We're working on patches. I'll get you one for 9.0.6 as soon as possible.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Back to top
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Privacy Policy | Powered by YAF.NET 2.2.4.14 | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.220 seconds.