Payment Gateways Blocked in v5.0.1 +

[Phil]

Hello guys,

as per my searches, all in-commerce installs from 5.0.1 feature a new
security, an .htaccess in in-commerce/units.

This .htaccess is just a "deny from all", and thus all payments done
via gateways can't escape the "incomplete" state, as the notify script
isn't reachable from front.

I propose to add an exclude for notify_scripts directory.

Phil.

[Phil]

Additionnally, when I de-activate the .htaccess, I obtain a "you are
not authorized to perform this action" message when I clic on "return
to store" button in gateway window, while the payment correctly
appears in "To Ship" tab.

[Alexander Obuhovich]

Maybe that .htaccess rule should be inverted to allow from all

--
You received this message because you are subscribed to the Google Groups "In-Portal Bugs Team" group.
To post to this group, send email to in-port...@googlegroups.com.
To unsubscribe from this group, send email to in-portal-bug...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/in-portal-bugs?hl=en.

--
Best Regards,

http://www.in-portal.com
http://www.alex-time.com

[Phil]

isn't the same as removing completly htaccess?

Unauthorized access to payment processing files could lead to security
problem, if someone try to POST infos about orders, isn't it? That's
why I would prefer to have a exclude, or a .htaccess for notify
scripts directory, up to you ^-^

And the "you are not allowed to perform this action" is still here
when we are back on the website to display the checkout success page.
More info: user is logged off when I see this page.

p.

On 15 mar, 21:28, Alexander Obuhovich <aik.b...@gmail.com> wrote:
> Maybe that .htaccess rule should be inverted to allow from all
>
>
>
> On Mon, Mar 15, 2010 at 9:30 PM, Phil <p...@domicilis.biz> wrote:
> > Additionnally, when I de-activate the .htaccess, I obtain a "you are
> > not authorized to perform this action" message when I clic on "return
> > to store" button in gateway window, while the payment correctly
> > appears in "To Ship" tab.
>
> > On 15 mar, 20:22, Phil <p...@domicilis.biz> wrote:
> > > Hello guys,
>
> > > as per my searches, all in-commerce installs from 5.0.1 feature a new
> > > security, an .htaccess in in-commerce/units.
>
> > > This .htaccess is just a "deny from all", and thus all payments done
> > > via gateways can't escape the "incomplete" state, as the notify script
> > > isn't reachable from front.
>
> > > I propose to add an exclude for notify_scripts directory.
>
> > > Phil.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "In-Portal Bugs Team" group.
> > To post to this group, send email to in-port...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > in-portal-bug...@googlegroups.com<in-portal-bugs%2Bunsu...@googlegroups.com>

[Alexander Obuhovich]

If .htaccess from one of the parent directories also implied mass deny, then setting allow rule at end folder will help. Yes, payment gateway processing scripts should be accessible for every one. For example default in-commerce/gw_notify.php is visible to everyone.

To unsubscribe from this group, send email to in-portal-bug...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/in-portal-bugs?hl=en.

[Phil ..:: domicilis.biz ::..]

yes, gw_notify need to be accessible, but "units" dir and subdir shouldn't be, while "notify" dir should be, right?

I've found this error reading apache logs, but I have no idea why users are now logged off and have this error message...

2010/3/15 Alexander Obuhovich <aik....@gmail.com>

[Dmitry Andrejev]

Hi Phil,

Correct, this seems to be a bug.

Create .htaccess file under in-commerce/units/gateways/gw_classes/notify_scripts/

with the following content:

allow from all

I have created a task for 5.0.3 here

623: Open access to Gateways Notification scripts by adding .HTACCESS

http://tracker.in-portal.org/view.php?id=623

DA

[Phil ..:: domicilis.biz ::..]

Hi Dmitry,

thank you for your reply, and the task for correcting.

Please note, as described before, that order process on front-end is NOT completing, and lead users to error message and are logged-off, any idea on this?
For info, when the order was successfull on front-end but not completed in admin, we didn't had this problem on front.

Phil.

2010/3/15 Dmitry Andrejev <dand...@gmail.com>

[Dmitry Andrejev]

Hi Phil,

Did you try now with new .htaccess?

DA.

[Phil ..:: domicilis.biz ::..]

Hi Dmitry,

I've done my tests without any htaccess, and as I said in my posts, this time order is correctly received and appears in "to ship", meaning that notify script have been executed.
It works even without going back to the website, meaning that automatic return link from gateway server to in-portal works perfectly.

[Dmitry Andrejev]

Phil,

I am still confused what's not working then...

DA

[Phil ..:: domicilis.biz ::..]

Dmitry,

here is the resume:

- when "deny from all" is setup in unit folder :
- orders succesfully paid stays as incomplete (and cart isn't emptied)
- customer have a "thank you for your order" message (checkout_success tpl)

- when there is NO htaccess in unit folder :
- orders paid are processed and are in "to ship" state (and cart is emptied)
- customer are logged out, and surely because of that, customer
have a "you are not allowed to perform this action" message
(in-commerce/no_permission.html?next_template=in-commerce/checkout/checkout_success)
instead of checkout success page

Do you have an in-commerce install to do your own tests? The result
should be the same using all type of gateways, as it seems to be a
problem after GW action.
I can provide you an access to live website to test this if you don't
have a test install.

Phil.

2010/3/16 Dmitry Andrejev <dand...@gmail.com>:

[Dmitry Andrejev]

Thanks for clarification Phil,

We'll do these tests on 5.0.3 in a day or say and will update you.

DA.

[Phil ..:: domicilis.biz ::..]

ok, if you need any help in testing, I can provide you a real and
fully setup env.

2010/3/16 Dmitry Andrejev <dand...@gmail.com>: