Magento 1.4 customer bug
February 21st, 2010
I recently blogged that Magento was not all that great; and that once the honeymoon is over and the beergoggles are put down, the world will see it more like it is than what we want it to be. It is my honest opinion that we will see the same pains as with osCommerce and most other open source projects allowing plugins: some plugins won't work well with others - some plugins will break with different updates of Magento and sometimes - like in this case - Magento will break itsself.
Update: The problem described in the article was probably limited to Cardgate and Paypal, and was resolved with help on the forum by a member of the Magento team: Anton Makarenko
First I have to say that we at Future500 maintain the plugin for Cardgate.com, a payment gateway. This plugin, like most payment plugins, is basically just a redirect to another website after checkout.
After an upgrade to 1.4, a client was complaining that during some orders, the VAT was somehow removed from the amount before checkout. At first it seemed random - but as a coder I do not accept randomness as a possible answer; the only thing random in this country is how long it takes the government to fall
So anyway, after quite a few test orders we finally figured out we could reproduce the issue if we created a new customer during checkout. In Magento 126.96.36.199 (and 188.8.131.52) they have inserted an automatic login for NEW customers. Quite nice, and probably a feature request, but poorly tested. Once the new customer is created and logged in - the standard magento mechanism for a customer session kicks in: if you already had some stuff in your cart when you logged out - and you already have some stuff in your cart at the time of login - you don't want to lose any one of those carts. So they get merged. Neat.
Now what happens is this: normally you login to Magento either during shopping, or at the first step of the checkout procedure. So you go through all the checkout steps as a logged-in user. But now, you get logged in right at the end of your checkout procedure - and the information you entered for "payment" is lost. It's just not copied to your new merged cart. And the new cart simply finds the subtotal of you order - disregarding VAT or shipping costs... and THAT's the amount they send you to checkout with.
Luckily, we have fraud protection against that sort of thing. A ill-willing customer could try to be a real smarty-pants and send his order to the payment gateway with the wrong amount (and statistics show that almost without exception, these ill-willing smarty-pants customers use lower amounts rahter than higher). So that get's caught by the plugin and the order is not validated. But in this case - it's not the customers fault.
Long story short (always nice when people put this at the end of a long story, no?):
Don't upgrade just yet if you use a payment plugin that redirects. Which is almost all of them. You can follow a thread on this issue here.
Pointy haired boss