Jump to content

akbal

Members
  • Content count

    4
  • Joined

  • Last visited

1 Follower

Profile Information

  • Real Name
    Mick Szucs
  1. This was recently said (three or four posts prior to this one,) but bears repeating because it had me scratching my head and seems to be an issue for many. "Use Gift Voucher to pay for this purchase" checkbox will not be displayed until you enable the Gift Voucher as an Order Total module. Find it in the Admin interface, under Modules->Order Total->Gift Vouchers... Sorry if that's redundant, but having it in bold someplace would have saved me a few minutes, so there it is for fellow idiots :P Problem: Customer has a gift voucher for $4, and purchases an item that's exactly $4, there's no need to select a payment method to complete the purchase - that's a good thing - it's the intuitive action for checkout in this case. However, since they haven't selected a payment option, their order status isn't automatically updated, like it would be if they used the Paypal IPN method, or 2checkout, or whatever. This is a problem particularly if the cart makes use of the download controller and will allow customers to download upon the completion of a purchase. Question: Any way to make the order status update when the purchase is paid for entirely in voucher credits? If the customer does select a payment method (Paypal IPN, for example) and they complete the order, the status IS updated, regardless of the fact that it never went to Paypal. The solution to this problem, then, might be as simple as specifying a default payment method. Any easy way to do that? Many thanks. Forgive me if this has been answered elsewhere in this thread, 43 pages by dialup takes a long, long time, and I stopped reading after page 10 or so :) Mick
  2. Of course, we will be manually checking all orders until this bug is fixed, but it falls far short of this module's potential to have to be doing so. Since I'm offering a downloadable product, the idea was/is to use the IPN to update the order status to a level that makes the download available (using the downloads controller.) The aim being to provide the customer with the immediate gratification that comes from shopping on the web. And yes, of course I would think it was odd to be underpaid - but in the case of automatically enabled downloads, the damage would be done before the shop owner noticed. I claim it as a security problem because the thing works just well enough to let you believe it can be trusted. :) Doesn't seem like it should be too much work to add an extra check against order value. Probably could spend a good deal of time trying to figure out how to deal with under-paid orders, though... Customer/administrator notification, etc. If it's still an issue when I finally get the rest of my shop together I'll gladly lend a hand to get it fixed, Pablo has done some really good work with this one.
  3. Let me preface this by saying that I'm prepared to accept that I'm just not doing something right, however: I think there's a hole big enough to fit a Mac truck through in the Paypal IPN module. Say you've got an item that's a downloadable item worth $25. Bob checks out using Paypal IPN and is directed to Paypal, where he's presented with option of paying $25 for his purchase. Meanwhile, his order has already been created with a status of Paypal Processing - download is not yet available. Being the sneaky sort, Bob checks the URL at Paypal and, lo!, there, not particulary well hidden in the URL is the PRICE of the item he's about to purchase. Bob snickers to himself and changes the price from $25.00 to $0.01, then resubmits. Sure enough, Paypal pops up a fresh page that allows him to pay $0.01 for this item now. Bob completes his transaction, and this is where everything falls apart. Paypal sends the IPN to osCommerce saying that order # XX for Bob Dobbs has been VERIFIED.. The IPN module says VERIFIED? Great, let me just update the order status to "Paid" or whatever it's been configured to do. IT DOES NOT CHECK TO SEE HOW MUCH HAS BEEN PAID, OR IF THE AMOUNT PAID EQUALS THE AMOUNT THAT THE ORDER IS WORTH. In this case, Bob's $25 order is now ready for download for $0.01. Quite a bargain, eh? I've tested this over and over again, using cURL, not using cURL, test mode, not test mode, etc. This is with Paypal IPN v0981 for milestone 2. Seems to me that a crucial step has been left out of the order verification process - but as I say, I'd not be surprised to find out I've just screwed something up :P Anyone else getting this?
  4. Am I missing something, or is there a massive security hole in this module? Try this: - Checkout using IPN, you're redirected to PayPal. - Modify the URL visible while you're at PayPal - change the cost of the item that you're purchasing to $0.01, then resubmit the URL. - Complete payment through PayPal PayPal IPN dutifully sends a "payment verified" message to the IPN module on your site. If you've set the IPN module to change the order status, the order status will be changed, although the user has only paid $0.01 for the order. Seems that the IPN module checks only that Paypal has said VERIFIED and that there's an order number that it recognizes - it does not check that the AMOUNT VERIFIED by PayPal is equal to the amount owing on the order. Please tell me I'm doing something wrong. Such a glaring oversight is beyond comprehension. Fortunately, it shouldn't be too much work to fix it. Doing something sensible with these bogus orders (alerting administrator, notifying customer that they underpaid, etc...) would be useful, too. This is paypal IPN v0981_for_milestone_2, BTW.
×