Multiple form submissions & Order Status reset

  • Resolved stefandev

    (@stefandev)


    2 weeks, 3 days ago

    Hello Support Team,

    First of all, congratulations on releasing the new plugin, it generally works great for my store’s needs.

    Since the plugin is relatively new, I expected there might be a few minor hiccups to iron out. While testing, I found two bugs regarding the withdrawal form functionality that I wanted to bring to your attention so you can make the plugin even better:

    Bug 1: Missing double-submit prevention & persistent loading state

    Issue: When a customer successfully fills out and submits the withdrawal form, the loading animation on the submit button persists indefinitely.

    Consequence: The button is not disabled after a successful submission. The customer can click the button multiple times, which re-submits the form and sends out duplicate emails for every single click.

    Expected behavior: The button should return to its normal state (or show a “Success” message) and be temporarily disabled after the first successful submission to prevent duplicate AJAX requests/emails.

    Bug 2: Missing validation for already processed withdrawals

    Issue: After a store admin explicitly accepts or rejects a withdrawal request, the customer is still able to access and fill out the withdrawal form for that exact same order.

    Consequence: If the customer submits the form again, it resets the order status back to the pending withdrawal state, overriding the admin’s previous decision (Accept/Reject).

    Expected behavior: If an order withdrawal has already been accepted or rejected by the admin, the form should no longer be available for that order (e.g., displaying a message like “Withdrawal already processed”), and the order status should be protected from being reset.

    Thank you again for such a great plugin. Keep up the excellent work, and I am looking forward to the next update!

    Best regards,
    Stefan

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Dennis

    (@vdwoocommercesupport)

    2 weeks, 3 days ago

    Hi Stefan,

    Bug 1: Missing double-submit prevention & persistent loading state

    Actually the button gets a disabled property right after submitting. The loading state is removed right after the XHR request finished. I’m not really sure what you’ve tested here exactly? Could you elaborate on the issue? Please find the JS code responsible for that here: https://github.com/vendidero/eu-order-withdrawal-button-for-woocommerce/blob/main/assets/js/static/order-withdrawal.js#L154

    Did you try the form with JS turned off? Did you check that via chrome dev tools?

    Bug 2: Missing validation for already processed withdrawals

    I was testing the latest version and I could not reproduce that issue. When submitting a withdrawal request for an order that does is already fully withdrawn/rejected, this specific request is currently not linked to the order and does not trigger a reset of the order status (although you are right that this needs some tweaks to make sure to present the customer with an error message instead).

    If there is an open withdrawal request (not yet processed) a verified customer (email address + order number matches) may override/edit this specific request.

    Best,
    Dennis

    Thread Starter stefandev

    (@stefandev)

    2 weeks ago

    Hi Dennis,

    Thank you so much for the quick and detailed reply! I really appreciate the time you take to support this plugin.

    Regarding Bug 1:
    You are 100% right. After doing some deeper digging i found out that this is actually caused by a custom CSS override on my end hiding the proper button state. I sincerely apologize for the false alarm—you can completely scratch that one off your list!

    Regarding Bug 2:
    Thanks for clarifying the logic behind open requests. I went back and did some more extensive testing, and I managed to narrow down the exact edge cases where the bypass occurs.

    When a withdrawal is rejected, the customer correctly gets the error message (“We’re sorry, but this order cannot be canceled. Please contact support for assistance.”) and cannot proceed.

    However, here are the two specific edge cases I found where the system can still be bypassed:

    Edge Case A (Page Refresh): If a customer submits the form and then simply refreshes the page, the form renders again and allows them to resubmit as many times as they want.

    Edge Case B (Logged-out / Guest View): Once an admin approves a withdrawal, the logic works correctly for logged-in users: the specific order number is successfully removed from the eligible orders dropdown. However, if the customer logs out and manually enters that exact same order number into the guest withdrawal form, they can still submit a request for it.

    Best regards,
    Stefan

    Plugin Contributor Dennis

    (@vdwoocommercesupport)

    1 week, 6 days ago

    Hi,

    Edge Case A (Page Refresh): If a customer submits the form and then simply refreshes the page, the form renders again and allows them to resubmit as many times as they want.

    This is expected behaviour. A customer is not limited in the amount of requests. We will add an additional check though to see whether a withdrawal request for a certain order number has already been submitted and show an error message instead.

    Edge Case B (Logged-out / Guest View): Once an admin approves a withdrawal, the logic works correctly for logged-in users: the specific order number is successfully removed from the eligible orders dropdown. However, if the customer logs out and manually enters that exact same order number into the guest withdrawal form, they can still submit a request for it.

    Yes but this request won’t be linked to the order directly. We’ll add a check though to prevent additional (unlinked) requests to the particular order.

    Best,
    Dennis

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.