Scribd
Upload
10 views3 pages

Critical Problems

The document outlines critical problems in a software application, including issues with overselling items, mixed user and business logins, and missing key columns in the orders table. It also highlights privacy concerns with order visibility, authorization issues for business products, and the ability for suspended accounts to log in. Suggested fixes include implementing database transactions, expanding authentication modules, and adding necessary validations and checks throughout the codebase.

Uploaded by

virusansh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
10 views3 pages

Critical Problems

The document outlines critical problems in a software application, including issues with overselling items, mixed user and business logins, and missing key columns in the orders table. It also highlights privacy concerns with order visibility, authorization issues for business products, and the ability for suspended accounts to log in. Suggested fixes include implementing database transactions, expanding authentication modules, and adding necessary validations and checks throughout the codebase.

Uploaded by

virusansh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Critical Problems

1. Overselling When Everyone Orders at Once

Where:app/services/order_service.rb
What’s happening: When two people check out the same item at the exact
same moment, our code first reads the stock and then writes it back. Because
those happen in separate steps, both users can slip through and buy more than
we have.
Why it matters:We give products that we don’t have so will have to cancel the
orders later, not a good customer experience.
fix: Wrap everything in a single database transaction and use a single atomic
update:

2. Mixed-up User vs. Business Logins


Where to look: app/controllers/concerns/[Link] and
ApplicationController
What’s Happening :We build “Authenticable” module that only checks for users
but our main controller also needs to accept businesses. The result? Businesses
get locked out of endpoints they should use.
Fix Idea: Expand it to decode and set either @current_user or
@current_business, or remove the redundant module and let
ApplicationController handle both cleanly.

3. Missing Key Columns in Orders Table


Where to look: db/migrate/20240101000002_create_orders.rb

What’s happening: Our orders table only has total_amount and timestamps, no
user_id, no status, no foreign keys.

This one is not really in the backend itself, it's more so in the seeding of
databases but I still included it just in case.
Why it matters: We can’t link orders back to customers, can’t distinguish new
vs. shipped vs. canceled, and risk orphaned records.

Quick Fix : Adding migration for

4. Anyone Can See or Cancel Anyone Else’s Order


Where to look: OrdersController#set_order
What’s happening:We do [Link](params[:id]) without limiting it to the
logged-in user.
Why it matters: Privacy issue user A can see or cancel user B’s order.
Fix:

5. Business Product Authorization Missing


Where to look: ProductsController#set_product
What’s happening: Similar to last issue [Link](id) opens the door for any
authenticated business to touch any product.
Fix:Similar fix to last one we can just do
@product = current_business.[Link](params[:id])
6. Suspended Accounts Still Logging In
Where to look: AuthController#login & BusinessAuthController#login
What’s happening: We check password but never check [Link]? or
[Link]?
Why it matters: Suspended or deactivated accounts can keep using the API.
Fix:

7. Partial Orders When Stock Runs Out Mid-way


Where to look: OrderService#process_order_items

What’s happening:We build items one by one and reduce stock as we go—so if
an early item succeeds and a later one fails, you get half an order in the DB.
Fix Idea: Validate all items first, then open a transaction that builds them and
updates stock in one go.
8. Suspended Businesses Can Still Create Products

Where to look: ProductsController#create


What’s happening: We never check current_business.status == 'active'
Fix Idea: Add correct authentication in authenticate_business! filter.

Some other smaller Issues i found elsewhere:

● Duplicate Status Updates: Don’t set status in both controller and service. Pick
one place.
● Missing Parameter Validation: Require & validate all incoming fields (no
negative quantities!).

You might also like