Bug: Voucher Redemption Race Condition

[ArnavBallinCode]

Bug: Voucher Redemption Race Condition

Describe the bug

The voucher redemption system has a critical race condition that allows multiple concurrent requests to exceed the max_usages limit. When multiple users attempt to redeem the same voucher simultaneously, the validation check occurs before acquiring the database lock, creating a window where all concurrent requests can pass validation and successfully redeem the voucher beyond its intended limit.

In our testing, a voucher with max_usages=3 was successfully redeemed 5 times (167% over limit).

Root Cause

The bug is located in app/eventyay/base/services/cart.py:

1. Lines 1002-1021 (_get_voucher_availability): Voucher availability validation happens without any lock
2. Lines 1358-1368 (_require_locking): Database lock is acquired after validation has already completed

Expected behavior

A voucher with max_usages=3 should only allow exactly 3 redemptions. The 4th and 5th concurrent requests should fail with an error message indicating the voucher has reached its maximum usage limit.

Screenshots

Screenshot 1: Vouchers Page - Over-redemption Visible

Screenshot 2: Orders Page - Multiple Orders with Same Voucher

[ArnavBallinCode]

After thorough testing and code analysis, both voucher and gift card systems have race conditions in their counters but are prevent financial loss.

1: Validation in _check_positions()

• Runs INSIDE event.lock()
• Calculates availability including pending carts
• Deletes cart positions that exceed limit
• But: Doesn't lock the voucher itself

2: Price Recalculation

lines 771-820

Even if a cart position gets through with a voucher attached, the price is recalculated using get_price() which validates:

• Voucher validity (expiration, usage limits)
• Voucher applicability to product
• Budget constraints

If validation fails, price_before_voucher stays None and no discount is applied.

3: Event Locking

lines 1172-1177

if positions.filter(
    Q(voucher__isnull=False) | Q(expires__lt=now() + timedelta(minutes=2)) | Q(seat__isnull=False)
).exists():
    locked = True
    lockfn = event.lock

[hpdang]

@ArnavBallinCode so what do you want to do wf your opened PR? Sounds like we don't need an urgent fix now

[ArnavBallinCode]

even though there are safety layers, the PR fix does make sense cuz it prevents counter drift and ensures voucher.redeemed stays accurate and does prevent some edge cases too

@ArnavBallinCode so what do you want to do your opened PR? Sounds like we don't need an urgent fix now

[mariobehling]

We need to focus on high priority issues. Even reviewing PRs like this takes time we do not have right now. This is low priority.