search

202ecommerce / paypal

This repository is for developpers only. To install and upgrade the module in a production shop please install the package via PrestaShop Marketplace by following this link:
https://addons.prestashop.com/fr/paiement-carte-wallet/1748-paypal-officiel.html
Academic Free License v3.0
20 stars 31 forks source link

The quantities in stock are not verified in case of payment with PayPal #325

Open Codencode opened 6 months ago

Codencode commented 6 months ago

Describe the bug and add screenshots

As the remaining quantity in stock is not checked when paying with PayPal or other forms that require a gateway payment, it is possible to complete the order and pay for an out-of-stock product even if this is not permitted.

I attach a video of the problem 01 - screen-capture.webm.webm 02 - screen-capture.webm.webm

The problem also occurs when paying using the payment buttons in the cart and on the product page.

Expected behavior

Payment should not be allowed

Steps to reproduce

  1. Set a product quantity to 2 in the BO
  2. Add this product to cart, 2 units
  3. Go to the last step of the checkout (payment), just before you click "Confirm with an obligation to pay"
  4. Now, change quantity of the product to 1 in back-office
  5. Click "Confirm with an obligation to pay" on last step of the checkout (payment), però selezionando il pagamento con PayPal
  6. You are now able to pay while you shouldn't

PrestaShop version(s) where the bug happened

8.0

PHP version(s) where the bug happened

all

clotairer commented 6 months ago

Linked to #PrestaShop/PrestaShop/issues/35984

clotairer commented 6 months ago

Thank you for your report and your analysis on the PrestaShop issue I recopy here:

I understand the issue with a Paypal module payment, but, that not the role of a payment gateway to manage the availability of the stocks but to the core. Only the core of PrestaShop sould manage if it's OK to create an order or not in this condition during the "validateOrder" action of the PaymentModule class. Nevertheless, all payment gateways (I don't speak about PayPal only) cannot manage a refund after valid payment if the order failed for any reason. I suppose, it kindly helpfull to create an order without enough stock instead of an orphelin payment without order on PrestaShop ? Perhaps that's the reason why the core doesn't stop teh order creation. Not sure of that. At least, there always was a timelaps between the user payment on the "bank portal" and its return on the shop. But, in a regular way, an order is created with a "reserved stock" different of the "physical stock". If you deduce a stock manually in the backoffice you deduce directly from the physical stock you increase the probability of this issue.

Hi @clotairer, the problem is that checking ValidateOrder would be useless as the payment has already been made. Basically Prestashop, from version 8, when you click on the order confirmation button, checks the quantity of products in the cart, it does so by executing an ajax call to the endpoint stored in the "window.prestashop.urls.pages.order" variable and passing as parameter "action" => "checkCartStillOrderable", here is the code I am referring to:

https://github.com/PrestaShop/PrestaShop/blob/2937cae599dcf5b4ada6914925eccdb2fa6cbfc3/themes/_core/js/checkout-payment.js#L173

The PayPal module should do the same thing as the ps_checkout module which checks the quantities before confirming the payment. Here is the module code I am referring to: https://github.com/PrestaShopCorp/ps_checkout/blob/6bba634f4ccdd5d0a01f2879f3073f963f9040e8/controllers/front/validate.php#L52

This method, in case of invalid quantities, raises an exception that prints an error in the cart, https://github.com/PrestaShopCorp/ps_checkout/blob/6bba634f4ccdd5d0a01f2879f3073f963f9040e8/controllers/front/validate.php#L312C1-L315C27