search

HotcakesCommerce / hotcakes-commerce-core

The core of the e-commerce part of the overall solution. This is an ecommerce shopping cart solution built on top of the DNN (DotNetNuke) CMS. Anyone can do commerce online now!
https://mmmcommerce.com
MIT License
68 stars 55 forks source link

Able to skip paypal payment and place order #374

Closed JordzJoestar closed 2 years ago

JordzJoestar commented 2 years ago

Posted originally in the forum: https://mmmcommerce.com/Forums/g/Posts/t/429/Urgent--Able-to-skip-paypal-payment-and-place-order

We are able to place an order without paying with Hotcakes 3.5.0. This is via paypal and other custom payment gateways. Older version of hotcakes displayed a receipt URL which didn't trigger a pending order to complete.

steps to recreate:

  1. complete an order of any value with paypal
  2. copy the return url
  3. begin another order of any value but when you get redirected to the paypal website do not complete payment, instead paste your copied return url either over the paypal website or a new tab in same browser.
  4. sale completes and there is no way to see that the person has not paid.
  5. the only clue inside hotcakes is under the 'payment' tab for the transaction all the ref numbers are the same across transactions.
  6. this can be completed multiple times with the same success url
erw13n commented 2 years ago

@JordzJoestar, pull request #370 should fix this issue. This issue happen because wrong implementation of Redirect.

WillStrohl commented 2 years ago

This update will be pushed in the 03.06.00 release. We don't have a release date for it yet, but it will be as soon as possible. Most likely, it will be in a week or two.