prestashopcorp / amzpayments Goto Github PK
View Code? Open in Web Editor NEWAmazon Payments module
Amazon Payments module
We didn't check fully payment validation flow, we need testing credentials.
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L51
It looks like there is no access control to ipn.php, everybody is able to submit a "PaymentAuthorize" message.
If ipn.php is meant to only receive notification from amazon merchant service/gateway, then the messages should be signed or authentified so we can be sure the message come from a trustable source and can't be altered.
https://github.com/PrestaShop/amzpayments/blob/dev/controllers/front/amzpayments.php#L404 escape $sql_arr variables with pSQL or (int) before db->insert()
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L308 pSQL($this->name)
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L335 pSQL($this->name)
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L363 bqSQL($table) pSQL($column)
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L1636 pSQL((string) $details->getRefundStatus()->getState())
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L1657 pSQL((string) $details->getCaptureStatus()->getState())
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L1693 pSQL((string) $details->getAuthorizationStatus()->getState())
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L1723 pSQL((string) $details->getOrderReferenceStatus()->getState())
https://github.com/PrestaShop/amzpayments/blob/dev/amzpayments.php#L1941 pSQL($this->capture_status_id)
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L81 escape $sql_arr variables with pSQL or (int) before db->insert()
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L119 escape $sql_arr variables with pSQL or (int) before db->insert()
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L158 escape $sql_arr variables with pSQL or (int) before db->insert()
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L269 pSQL($type)
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L356 pSQL($oid)
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L357 pSQL($status)
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L59 pSQL((string) $response_xml->AuthorizationDetails->AuthorizationStatus->State)
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L81 pSQL((string) $response_xml->CaptureDetails->CaptureStatus->State)
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L101 pSQL((string) $response_xml->RefundDetails->RefundStatus->State)
https://github.com/PrestaShop/amzpayments/blob/dev/ipn.php#L114 pSQL((string) $response_xml->OrderReference->OrderReferenceStatus->State)
Please replace all the following call of serialize/unserialize by json_encode/json_decode
If you can't, please use Tools::unSerialize() instead of unserialize()
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L304
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L306
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L308
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L321
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L322
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L324
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L337
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L338
https://github.com/PrestaShop/amzpayments/blob/dev/classes/AmazonTransactions.php#L340
https://github.com/PrestaShop/amzpayments/blob/dev/controllers/front/amzpayments.php#L648
https://github.com/PrestaShop/amzpayments/blob/dev/controllers/front/amzpayments.php#L657
In the following templates, the variables aren't escaped, it is recommanded to always escape the variable with |escape:'htmlall'
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/configuration.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/order_actions.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/order_history.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/order_summary.tpl
https://github.com/PrestaShop/amzpayments/blob/dev/views/templates/admin/skeleton.tpl
On the configuration page, your warning message is displayed even if I have the proper version (1.6.1.1 here). But be careful, the potential number of merchants using your module will be greatly limited if you keep this restriction of PrestaShop version.
Here is a suggestion if you want a solution for the older versions, which can replace hookActionCustomerLogoutAfter
:
public function hookDisplayHeader($params)
{
[...]
if (version_compare(_PS_VERSION_, '1.6.1.1', <) // This test can even be removed if you want
&& isset($this->context->cookie->amz_access_token)
&& ! $this->context->customer->isLogged())
{
unset($this->context->cookie->amz_access_token);
unset($this->context->cookie->amazon_id);
unset($this->context->cookie->amz_js_string);
}
[...]
}
On this page, it would be great to have the whole button clickable, like we can do with the other payment options.
Hi,
I have just checked the main class of the module and there are many points to fix:
install()
function, do NOT alter core table, because it can bring some issues during PrestaShop upgrades. Please create another table for your columns, joined by the order id or customer id.Because fixing these points will change a whole part of your code, I wait them to be fixed before going farther in the code review.
However, I'll make a functional test later.
Best regards
We are facing the following issues:
Regards
Bernd.
Is this the same module currently included in Prestashop?
I ran into an issue with that module not recording any transactions with Google Analytics (other payment modules do so fine), so I'm curious if this one is worth a try or if the Prestashop included one is the latest version of this.
The module uses overrides but since it's a partner module it's forbidden.
In the hookDisplayHeader () method jquery 1.12 is being hardloaded again even though $this->context->controller->addJquery();
is being called right at the beginning of the function. Removing the string which loads jquery 1.12 results in "jQuery is not a function" errors and the button not appearing.
My issue with this is the unneccessary extra load time, especially since it is loaded on every page (i.e. landing pages on which speed matters and amazon pay does not need to be loaded at all) and the jquery cdn is unreliable (regarding speed...).
I realize i can exclude the module from header hook for index, category and product pages through the prestashop "positions" tool but would like a less "workaroundy" solution. Thanks for the otherwise great module!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.