There's a lot of commented section all over the module. I think it could be cleaned up a little bit to make the code more readable and cleaner:

Here's a list (maybe not exaushtive) of the ones I could found while reviewing:

bpostshlm.php:

https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L103
https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L108
https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L266
...

(Other lines where I found comments that could be removed)

313/338-449
695/760-769/791/832-870
876/916-919/930/939-941
998-999/1073/1084-1085
1166/1168/1187/1201-1202
1228/1259

AdminOrdersBpost.php:

https://github.com/PrestaShop/bpostshm/blob/master/AdminOrdersBpost.php#L97-118
https://github.com/PrestaShop/bpostshm/blob/master/AdminOrdersBpost.php#L203-207
https://github.com/PrestaShop/bpostshm/blob/master/AdminOrdersBpost.php#L526
...

(Other lines where I found comments that could be removed)

617-624/661-663/674
686/700/728-736
849-851/1085

Hi @Stigmi,

When I validate my order, two little php warnings come to my error log, here they are :

[23-Feb-2015 17:49:29 Europe/Paris] PHP Notice:  Undefined index: company in /Users/tchauviere/www/prestashop_16011/modules/bpostshm/classes/Service.php on line 316
[23-Feb-2015 17:49:29 Europe/Paris] PHP Notice:  Undefined index: company in /Users/tchauviere/www/prestashop_16011/modules/bpostshm/classes/Service.php on line 316

Hello,

When Prestashop is set to have SSL enable, but not on all pages, the order confirmation process is secured by SSL.

But the bpostshm module does not consider this. When you have to select a delivery point (either @bpost or @24/7), the module opens a fancybox that calls to non-HTTPS elements. Browser security policy will block all these calls.

So this module is mostly non-working with HTTPS-enabled Prestashops.

Hi @Stigmi,

Please find below the list of little bugs I found while I was doing functionnals tests on your module with latest commits:

Functionnal Test Review:

• 1. I think there's a bug with the "Fancyboxed forms when selecting a "Home Delivery" and you don't have yet an account, no matter which phone number I put in it, it tells me that my field is not validated (*** on screen are on purpose, there was a true french mobile phone number when tested)

  

Hi,
It seems impossible to have the description of the carrier module translated (we need support from 1.4 to 1.6). Same goes for the name and description of the carriers.

Is there a special trick or workaround to fix this or is this a permanent issue?
Thank you

Hello,

We would like to commit the new 1.21 version but we did not manage to do so.

commands:

git checkout -b newdev
git push origin newdev

full error:

remote: Permission to PrestaShop/bpostshm.git denied to [email protected].
fatal: unable to access 'https://github.com/PrestaShop/bpostshm.git/': The requested URL returned error: 403

Could you tell us where/how we are supposed to commit the upgrade?
Thank you

Here are some few enhancements that can be done to improve module stability:

• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L223:
  Please use Tools::file_exists_cache() instead of file_exists
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L257:
  Cast $group['id_group']; into (int)
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L263-264
  https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L452
  $id_carrier is not cast to (int)
  Once you have done “new Carrier()”, please check if the object is well loaded with “Validate::isLoadedObject($carrier)” and add error message if needed
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L271-277:
  Cast “$lang_fields['name'];” to (string)
  Cast “$carrier->save()” to (int)
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L302
  Missing double (int) cast “if ($country->id_zone != $id_zone_be)”
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L478:
  OrderState::getOrderStates($this->context->language->id);
  Missing (int) cast + Method can return false since it depends of the result of a Db::getInstance()->executeS(); you should verify that $order_states is the array you expect and add error message if needed
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L487:
  $id_order_state is not cast to (int)
  Once you have done “new OrderState()”, please check if the object is well loaded with “Validate::isLoadedObject($order_state)” and add error message if needed
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L645:
  $id_tab is not cast to (int)
  Once you have done “new Tab()”, please check if the object is well loaded with “Validate::isLoadedObject($id_tab)” and add error message if needed
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L662:
  Consider using Tools::copy instead of copy()
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L824-828:
  Maybe here you could use constants to make the code more readable.
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L885-889:
  You should check the return value of object->save() method and display errors if needed
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L1098:
  Once you have done “new Address()”, please check if the object is well loaded with “Validate::isLoadedObject($delivery_address)” and skip to the next iteration if required
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L1275/1277:
  (int) cast missing
• https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L1405-1411:
  getOrderShippingCostExternal() method empty and unsued, remove it if unecessary

If the shop has multiple language activated, you will have an array instead of a string here:
https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L876

And this will cause the following:

The workaround is to do the following:

$country = new Country((int)$id_country, (int)$this->context->employee->id_lang);

• https://github.com/PrestaShop/bpostshm/blob/master/AdminOrdersBpost.php#L15-19:
  This verification is not required, since this file should never be called when running on 1.5+
• https://github.com/PrestaShop/bpostshm/blob/master/AdminOrdersBpost.php#L1144-1152:
  PHP doc should before method declaration, not inside
• https://github.com/PrestaShop/bpostshm/blob/master/AdminOrdersBpost.php#L1142-1276
  Method displayListContent():
  As a general comment, you will need to refactorize this part.
  You have too much html in this method, please use templates and smarty to make it more readable and clear.
  In another hand, please use “backward_compatiblity” to access globals you set at the begining of this method via $this->context;

I used your test credentials and tested to make a simple order on my test shop, and when I get to carrier selection I have this error:

Everything is back to normal when uninstalling/disabling module.

FYI: I tried with all settings to their default values, maybe there's something I didnt do well ?

Is this message really blocking for the module to work properly ?
If its optional please make it a warning (yellow) box instead of an error box (red).

You cant use exit statement here:
https://github.com/PrestaShop/bpostshm/blob/master/bpostshm.php#L124-125

It would lead to a blank page if merchant doesnt have curl on his server.

The good way is to do somehting like this:

 if (!extension_loaded(‘curl’))
{
    $this->_errors[] = $this->l('This module requires CURL to work properly');
    return false;
}

This way a merchant fallback on module page and an error message is displayed.

Once module installed I have the following error:

Hello,

The folder http://YOUR-PRESTA/modules/bpostshm/pdf/ is not protected. It contains all generated stickers with addresses of clients.

You should at least add an empty index.php file in the folder, but even then the filename structure is pretty easy to guess. Filenames should be obfuscated or every query should be checked against credentials (using .htaccess?).

Bonjour,

Pour faire suite à mes emails, bpost m’a remonté cette demande obligatoire formulée par PrestaShop pour leur module et je ne sais pas quoi en faire :

“In order to scale the benefits of our partnership, you need to track every Prestashop merchant account (even if they did'nt use the landing page because we will promote your on brochures, conferences, via our Telesales, etc. so all merchants will not necessarily know about the landing page).
In the module itself, you have to insert a code enabling you to track the Prestashop stores.”

Pourrais-je avoir des précisions sur ce qui est attendu ?
Merci

I think that it could be nice to write "BPost Orders" instead of only "bpost".

When I tried to save with this option selected:

I got the following error:

Unsafe unserialize call

/AdminOrdersBpost.php:1079 $value = unserialize($value);
Replace serialize/unserialize call with json_encode/json_decode

Unsafe include

/controllers/admin/AdminOrdersBpost.php:308
/AdminOrdersBpost.php:254

check $iso_code ^[a-z]{2}$

Unsafe SQL

/classes/Service.php:1272 $iso_list array_map + pSQL
/classes/lib/Ps/OrderBpost.php:153 $reference add pSQL
/classes/lib/Ps/OrderBpost.php:221, 252, 306 intval()

/AdminOrdersBpost.php:98 $id_bpost_carriers array_map + intval
/controllers/admin/AdminOrdersBpost.php:105 $id_bpost_carriers array_map + intval

Potential XSS

Escape using Tools::safeOutput()

/AdminOrdersBpost.php
:1086 $value[0] (isCleanHtml may not protect a variable without html displayed in an attribute)
:1088 $value[1]
:934,1026,1029,1184,1197,1203 $current_index
:937,995,1027,1030,1185,1199,1205 $token
:571 $option (please recheck because it may break something if $option contains html)

/controllers/admin/AdminOrdersBpost.php
:668 $option (please recheck because it may break something if $option contains html)

Escape with smarty |escape

/views/templates/front/lightbox-point-list.tpl
:13 postcode
:15 city

/views/templates/front/lightbox-at-247.tpl
:47 remove 'javascript' argument of escape call
:52 gender->id gender->name
:59 firstname
:64 lastname
:69 street
:74 number
:79 postal_code
:84 locality
:89 birthday
:94 email
:99 mobile_phone
:106 $_language['lang'] $_language['name']

/views/templates/admin/settings.tpl
:24 error
:87 account_id_account
:99 account_passphrase
:111 account_api_url
:208 opt['title']

/views/templates/admin/orders_bpost/helpers/list/list_action_option.tpl
:8 href|urldecode
:9 disabled

/views/templates/admin/orders_bpost/helpers/list/list_content.tpl
most of the variables aren't escaped, please escape them all

example line 3 : id="tr_{$id_category}{$tr.$identifier}{if isset($tr.position['position'])}{$tr.position['position']}{else}0{/if}
escape id_category, $tr.$identifier and $tr.position['position']

/views/templates/admin/orders_bpost/helpers/list/list_footer.tpl
:14
:61
:83 $list_id $value
:88
:156
:157
:190 $reload_href in comment : "All smarty escape attempts FAIL!!" did you try escape:'javascript' ?
:230 replace escape with escape:'javascript'
:231 replace escape with escape:'javascript'
:460 escape:'javascript'

/views/templates/admin/orders_bpost/helpers/list/list_footer14.tpl
remove if deprecated file, otherwise, escape all call to <?php echo with Tools::safeOutput

/views/templates/admin/orders_bpost/helpers/list/list_header.tpl
13 escape:'javascript'
14 escape:'javascript'
23 escape:'javascript'
24 escape:'javascript'
32 escape:'javascript'
33 escape:'javascript'
66
135 $currentIndex $identifier
137 $currentIndex $identifier
173 $key
193 params.filter_key key params.width
243 escape:'javascript'
250 to 262 replace all escape with escape:'javascript'
290
293
301
307
309
330 to 381 replace all escape with escape:'javascript'
385
389
396
420 identifier list_id
423 identifier list_id
468
475
480 to 502 replace all escape with escape:'javascript'
506
510
516

Hi,

I re uploaded the module on PrestaShop's Validator, and you still have a couple of things to correct.

All sections reports needs to be fixed (mainly "Standards") except for "Structure" since putting your folders js/css/img into views' folder is valid.