[PayPalPayment] Authorisation Code

[dio5]

Hey list,

while trying to get (PayPal)Payment (trunk) work with E-commerce
(trunk), I've come across something I fail to understand.

PayPalPayment is having a 'AuthorisationCode' db-field.

This is sent to Paypal through the PaypalForm using $inputs['custom']
= $this->ID . '-' . $this->AuthorisationCode; '

Then on returning from Paypal, this is part of the $_REQUEST['custom']

function complete() {
if(isset($_REQUEST['custom']) && $custom = $_REQUEST['custom']) {
$params = explode('-', $custom);
if(count($params) == 2) {
if($payment = DataObject::get_by_id('PayPalPayment', $params[0]))
{
if($payment->AuthorisationCode == $params[1]) {
if(isset($_REQUEST['payment_status']) && $_REQUEST
['payment_status'] == 'Completed') {
$payment->Status = 'Success';
$payment->TxnRef = $_REQUEST['txn_id'];
}
else {
$payment->Status = 'Failure';
}

$payment->write();
$payment->redirectToOrder();
}
}
}
}
}

However: nowhere in the trunk code can I see where AuthorisationCode
is being set.

As a result, $params[1] is never set and nothing of this ever happens,
resulting in an error and never a 'completed' transaction. $_REQUEST
['custom'] is always like '5-' or '23-'...

Anything I'm missing here?

Someone on IRC apparently had this problem too and changed the code,
set the AuthorisationCode on the form as the order uid:

$this->AuthorisationCode = $order->UID;
$this->write();

in the PaypalForm.

However, what is the real purpose of AuthorisationCode? I cannot see
it working as currently implemented in trunk.

I've posted this on the forum as well:
http://silverstripe.org/e-commerce-module-forum/show/272955

[Michael Mitchell]

This piece of code in the PayPal Module is VERY VERY insecure and does not actually use PayPal IPN to check if the payment has been completed securely and properly. Using this payment module a fake payment can be injected to SilverStripe VERY easily. Unless you can impliment PayPal IPN yourself I would stay well away from using PayPal with SilverStripe. Also, I would recommend anyone using PayPal in any live website disable it until it is fixed.

I have a fix at home that needs some tidying up but I am out of town, I will try getting it on here this evening.

Regards, Mike

[Nicolaas Thiemen Francken - Sunny Side Up]

That is great Michael. You are absolutely right, it is very insecure.
The way this usually works is that the website owner physically checks
with paypal that the funds have arrived. They review the payer
details, etc... Thus in other words, they do a phyiscal check to make
sure that everything is in order with any payments. I personally
think this is a good idea, because checking if the money arrived
physically in your bank account also resolves a lot of other potential
risks along the way.

Thanks again for helping out here.

Nicolaas

2009/11/11 Michael Mitchell <michaelmit...@gmail.com>:

--
Nicolaas Thiemen Francken
Director - Sunny Side Up Ltd
skype: atyourservicehour
Phone: +64 4 889 2773
n...@sunnysideup.co.nz
http://www.sunnysideup.co.nz
- client login: https://rakau.updatelog.com/
- new quotes: http://www.sunnysideup.co.nz/services
- please support: http://www.localorganics.net/
- newsletter: http://www.sunnysideup.co.nz/contact
- R&D website: http://silverstripe-webdevelopment.com