I have responded to your ticket.
For others that may see this, the issue involves inventory control and handling backorders, so it’s important (for those using those features) but I wouldn’t necessarily call it a security bug.
It’s simply that if two people are purchasing the the same items at the same time, there’s a chance both orders could be placed even if there wouldn’t be enough inventory to fill both orders.
That has to do with how Express Checkout works to skip the Woo checkout pages. We’ll make some adjustments to get this resolved in our 1.2.0 update.
Thanks for your response,
You are right, it might not be a security bug as it doesn’t compromise the application as such. A more fair classification would be a “reputational bug”?
Given users might be able to place orders without having enough inventory, it will require the site owner to contact those users and potentially cancel their orders, having at the end of the day some unsatisfied customers. It will as well cost website owners some money, as Paypal transactions are not refund free (or at least Paypal free model is not).
I will check if I can manage to find a quick implementation for such feature and will make a GIT pull request.
Cheers,
Alan
That would be great, thanks!
