A space to discuss online store customization, theme development, and Liquid templating.
The title itself is self-explanatory. Unable to figure why it is happening.
This is the code
<form method="POST" enctype="multipart/form-data" id="reqCustomQuote" name="req-custom-quote" action="/apps/..../....">
<input required form="reqCustomQuote" type="text" class="input-full" name="Customer Name" value="{{ customer.name }}">
....
</form>
Is this a bug? Am I missing something?
bump
Bump.
@Liam ??
Bump. Anyone?
Hey @HymnZ ,
First, I must apologize for the time it's taken to get to this request. We're growing our support team to help prevent this in the future.
While the title is self explanatory, I have run some tests with App proxy using a form to submit data as indicated, and I'm not seeing any issues. The only time I'm seeing different data in my proxy endpoint is when logged in with a different customer on the store, or when I override the customer name in the form itself.
Regards,
John
John C | Developer Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
@_JCC_ why are the replies rejected?
Thanks for getting back. I was told by the support team on chat that my post will be answered eventually (:
What you pointed out is exactly the problem.
When the customer is logged in on the frontend of the store and submit the form, in this case, it's an app-proxy endpoint that takes the customer's information viz name, email etc., the app only sends out an email to an external system and it doesn't interact with Shopify's backend in anyway. But still, the customer's name gets updated in Shopify's admin section of the store.
This can be overcome by having a first name and last name as separate fields, in effect, it's updating both the fields in the backend. But IMHO that's really not a solution.
I have done additional testing on this functionality and it appears that this (customer name update) happens as long as the domain in the action attribute of the form is the same as that of the store (or something.myshopify.com)
So this is definitely a bug and can be used by apps and javascript code with malicious intentions to drastically alter customers name without having the API permissions to read/write customers.
...
... ...
Hey @HymnZ ,
Thanks for providing that additional information. I just wanted to let you know that we don't delete posts but do have a spam filter.
I took your form code as provided and added that to a page on my test store. The form posts to an app proxy endpoint with the form action matching that of the stores myshopify.com address, and I'm still not seeing the customer name being updated on the customer record itself.
Would you be willing to DM me the store where you're reproducing this and have an account?
Regards,
John
John C | Developer Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
Done sir.