Limit, cleanup, and secure shop creation #2969
Conversation
…ished in stripe plugin now
…ettings, reverting
…antSignup is enabled
…anup and secure shops/createShop Restricts shop creation to one-per-user when allowMerchantSignup is enabled, resolving #2889
| return user.username; | ||
| } else if (user.profile && user.profile.name) { | ||
| return user.profile.name; | ||
| const account = Collections.Accounts.findOne(Meteor.userId()); |
There was a problem hiding this comment.
Do we need to first subscribe here or not?
There was a problem hiding this comment.
We shouldn't need to subscribe here because we've got a global subscription for this, but it's probably worth making sure the subscription is ready.
| const account = Collections.Accounts.findOne({ _id: Meteor.userId() }); | ||
| const marketplaceEnabled = Reaction.marketplace && Reaction.marketplace.enabled === true; | ||
| const allowMerchantSignup = Reaction.marketplace && Reaction.marketplace.allowMerchantSignup === true; | ||
| const userHasShop = account.shopId !== Reaction.getPrimaryShopId(); |
There was a problem hiding this comment.
So the user's account.shopId will point to the primary shop except if they own a shop (when it then points to that shop), right?. Can we throw a comment here for anyone seeing it for first time?
There was a problem hiding this comment.
Good call, anywhere else that you see might need more comments?
There was a problem hiding this comment.
Re: the issue earlier mentioned: I was able to create a shop as the marketplace owner while logged in as guest. After the shop was created, the guest user can still click on "Become a Seller" and another shop gets created. So, we'll need to guard against non-owners creating a shop for someone else. (and possible multiple shops for user in this case)
|
@impactmass I've fixed the tests (on my local at least) and have resolved the issues that you pointed out. Ready to check again. |
|
pulling now. |
There was a problem hiding this comment.
Previous issues are fixed.
But there's a case where I can log in as a guest user, then run Meteor.call("shop/createShop") with onwerID, and doing that I can create as many shops as I want. When I then use the "Become a Seller" button to create a shop, and run the createShop manually again, it then brings the Each user may only create one shop error
|
|
||
| // Anonymous users should never be permitted to create a shop | ||
| if (!hasPrimaryShopOwnerPermission && | ||
| Reaction.hasPermission("anonymous", Meteor.userId(), Reaction.getPrimaryShopId())) { |
There was a problem hiding this comment.
A note: Reaction.hasPermission("anonymous", Meteor.userId(), Reaction.getPrimaryShopId() returns true for "owner" as well. per #2895
There was a problem hiding this comment.
yeah, that issue is why I also check to make sure the user is not an owner.
…f shops by non-owners
…nging active shop id
|
@impactmass I was able to reproduce the issue you mentioned and have fixed it. |
|
Pulling to test now |
There was a problem hiding this comment.
All issues earlier mentioned are now fixed.
One other thing I see (outside of the current fixes) is that the owner can invite/create a shop for an email multiple times. I think we'll like to enforce the one shop per user for all creation methods, so worth fixing here.
|
hmm... one failing test though. @spencern any idea why that failed? Logs: |
…accounts shopId This is necessary because this issue restricts creating a new shop to users without a shopId. When a shop is created for a user, we update the `shopId` property in their account to the new shopId
Resolves #2889
Fixes and Cleanup
marketplaceandallowMerchantSignupare enabledallowMerchantSignupis enabled, don't show the become a seller button if the user already has a shop.allowGuestSellerssettting