-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guest cart API ignoring cartId in url for some methods #14086
Comments
@midlan, thank you for your report. |
I've created a PR for this issue. Investigating this a little further I found a related issue for the normal cart API. In the case /V1/carts/mine/items is used it allows adding/editing items to a quote different then the actual customer quote. |
For /V1/carts/mine/items and /V1/carts/mine/items the quoteId from the quote item is used. For guest cart this is confusing as it makes the cartId in the URL useless. For logged in carts it makes it unsafe as it allows adding products to any active cart. Relates to: magento#14086
Hi @engcom-Bravo. Thank you for working on this issue.
|
✅ Confirmed by @engcom-Bravo Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself. |
Hi @engcom-Charlie. Thank you for working on this issue.
|
Hi @midlan. Thank you for your report.
The fix will be available with the upcoming 2.4.0 release. |
Preconditions
Steps to reproduce
I am following the API documentation to create guest cart and add item to it:
POST https://yourdomain/rest/default/V1/guest-carts
(with empty body) creates cart for you and return cartId in bodyGET https://yourdomain/rest/default/V1/guest-carts/
:cartId
to check you cart is createdPOST https://yourdomain/rest/default/V1/guest-carts/
:cartId
/items
with bodyto add item to your cart, but error is returned instead of adding cart to item
Expected result
In step 3, I was expecting the added item to be returned. Instead of that, error is returned.
Actual result
Further research
I discovered: If you send the cartId in
quote_id
field in body at step 3, the method would work. So the body would be:And the results is cart item, no error. The cartId in url is completly ignored. If you use send request with some dummy string instead of cartId in URL (with the body with quote_id field), it actually works.
So request like
POST https://yourdomain/rest/default/V1/guest-carts/some_dummy_string_insetead_of_cartId/items
works. But it should not! And the mandatory quote_id in body is also wrong I think. The only cartId needed to add the item to the cart should be the one from URL (which is not used at all at the moment).
The same problem is present on other methods in guest-cart.
The text was updated successfully, but these errors were encountered: