You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a payment is cancelled or paid via echeck paypal returns the user to the cancelURL which is in fact the same as the returnURL. This cancelled payments are handeled as payments without credentials (PayPalGateqay.php Line 148). This leads to a payment Failure which means that the Payment is marked as failed. So far so good.
But think of a payment which was successfull - thus marked als dispatched and paid. When a user calls the Complete function again with the same payment id, the payment is marked as failure because of missing credentials. In that case swipestripe/payment marks the previously successfull payment as unpaid and the order as processing. There is even a message sent to the customer telling, that the already paid payment is unpaid.
Actually we had this issue when a user has called the payment URL twice, because QuickView on Safari (preview of most viewed sites) tries to reload that page again.
Unfortunately this even happens when a payment id is given and there is no payer id and no token. This means you can set all payments in the shop by firing queries brute force to a range of ids.
Probably it would be better to set the cancelURL to a separate URL/Controller function and handle it separately.
The text was updated successfully, but these errors were encountered:
@innomedia thanks for raising this issue. It has been a while since I last looked at this module, do you have a patch for this issue a pull request would be very welcome!
When a payment is cancelled or paid via echeck paypal returns the user to the cancelURL which is in fact the same as the returnURL. This cancelled payments are handeled as payments without credentials (PayPalGateqay.php Line 148). This leads to a payment Failure which means that the Payment is marked as failed. So far so good.
But think of a payment which was successfull - thus marked als dispatched and paid. When a user calls the Complete function again with the same payment id, the payment is marked as failure because of missing credentials. In that case swipestripe/payment marks the previously successfull payment as unpaid and the order as processing. There is even a message sent to the customer telling, that the already paid payment is unpaid.
Actually we had this issue when a user has called the payment URL twice, because QuickView on Safari (preview of most viewed sites) tries to reload that page again.
Unfortunately this even happens when a payment id is given and there is no payer id and no token. This means you can set all payments in the shop by firing queries brute force to a range of ids.
Probably it would be better to set the cancelURL to a separate URL/Controller function and handle it separately.
The text was updated successfully, but these errors were encountered: