spookylukey
commented
8 years ago Thanks for the report. It looks like the docs should say "PayPal may POST to it", instead of will. I don't know if this is a change in PayPal behaviour or not.
Closed lcaldwell closed 7 years ago
spookylukey
commented
8 years ago Thanks for the report. It looks like the docs should say "PayPal may POST to it", instead of will. I don't know if this is a change in PayPal behaviour or not.
slyapustin
commented
8 years ago @lcaldwell @spookylukey Current version of PayPal documentation have:
The default value for
rmis 0 (use the GET method).
So documentation should be updated, i think that part should be just removed.
If user set rm value manually for using POST instead - they should be aware of using @csrf_exempt anyway.
Note that return_url view needs @csrf_exempt applied to it, because PayPal will POST to it, so it should be custom a view that doesn’t need to handle POSTs otherwise.This is strange to me - the @csrf_exempt docs were obviously added for a reason. In fact I added that note, and I don't think I have ever used the 'rm' parameter.
So, I don't entirely trust the docs. It's possible that the default was different in the past, and the default might be per customer e.g. for NEW customers it defaults to GET.
So, perhaps it would be changed to "depending on your config, and especially if you set rm to 0".
lcaldwell
commented
8 years ago I don't think its just for new customers. I had a working configuration with an old Paypal account, didn't change anything and at some point it stopped working until I changed this. I think its worth leaving the csrf_exempt note (or something similar). Although they should be aware, I think its likely it will save someone some time at some point.
slyapustin
commented
8 years ago I don't have old accounts, but my newly created sandboxed account always use GET for return_url, so i think PayPal default behaviour and documentation was changed at some point.
And users should be aware to allow GET requests for return_url or use rm options.
I have been using django-paypal on a project for a while without problems but recently I noticed that after making a purchase, a customer was redirected back to the site using the GET method rather than POST. I took a look at the PayPal documentation here and it seems like there is a variable
rmwhich is used to define the method used for the return and the default is GET.Is a new addition to the API? Should django-paypal either provide this parameter with the POST as default or else make a note in the docs where it currently says that paypal will post back?