Discussing APIs and development related to customers, discounts, and order management.
Hi, the other day a new customer was able to add a zero priced item to the cart and check out. We have a simple mod in our Supply template that hides the Add to Cart button and displays a message - "Contact us for pricing" when the price is set to zero . This has worked well since we went live several years ago.
Recently someone has been circumventing this and adding zero priced items to the cart and checking out. Happened again last night, this is 3 times altogether. Session details reveal that they are bypassing product pages altogether and going directly to the checkout. So this is disturbing. EVEN MORE disturbing is the Shopify Support Chat "person" gathered all this information and came back a day later essentially saying "Our engineers really don't understand any of this stuff so you should go on the forum or hire someone to look into it".
We have added some fraud rules to try to block this specific customer and activity. But isn't this a serious security issue? Shouldn't Shopify be concerned and actually look into it? And we think the support chat person is a chatbot. Any help or insight is greatly appreciated
Mike Borginis for Durland Company
tl;dr , Not a security issue, works as intended, if you publish a product expect it to be purchasable as the apis support a lot of use cases and are NOT changeable , proper technical discovery and understanding platform capabilities can prevent false expectations. tier-0 support is lackluster, bypass bots by asking for "support advisor" or "human"
I highly doubt a tier-0 support would claim "Our engineers really don't understand any of this stuff" when it's their job to make this stuff, a lack of a situational specific support is not a reason to warp a conversation so badly that it's borderline misinformation. Shopify support has fallen off but i've never ever seen one say something like that either brashly or casually.
Customers being able to purchase $0 items is the result of low cost implementations with low effort technical discovery.
The apis work this way on purpose to support a broad range or use cases and are NOT changeable.
If a product is published that makes it possible to be purchased.
Purchasing can happen using features such as the ajax api, or permalinks , buy buttons, sales-channels, etc etc etc.
Don't just use a fraud app for one offs , setup an automation to either reject invalid orders with shopify-flow,
https://help.shopify.com/en/manual/shopify-flow/reference/actions/cancel-order
Or more advanced convert them to draft orders
https://tasks.mechanic.dev/create-a-draft-order-from-the-cart
To fully lock down an order process on shopify would effectively require a high barrier to entry with a: custom headless storefront, shopify functions, and backend order validations, etc etc etc.
Contact paull.newton+shopifyforum@gmail.com for the solutions you need
Save time & money ,Ask Questions The Smart Way
Problem Solved? ✔Accept and Like solutions to help future merchants
Answers powered by coffee Thank Paul with a ☕ Coffee for more answers or donate to eff.org
Hey Paul thanks for the info. Was not aware of all the different ways that this could happen. We will checkout your suggestions
Mike