Hi,
A not logged in user can change the order status by calling a specific url.
Thus: A customer places an order.
Order is paid so status changes to confirmed.
Shopmanager changes status to shiped.
View days later, the shomanager get's an e-mail that says: Status changed to confirmed.
We figured out that calling the url changes the status
/index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&pm=5&order_id=0d2a0148&order_code=UnK5pugz10yygRMr5kDGE7p2HKc2FHgp
The plugin called is from icepay. Probably the callback url for a succesfull payment...
What to do?
Is it a bug in virtuemart or the plugin?
VM 2.6.16 on Joomla 2.5.28
One assumes the order was previously "Confirmed"
I looked at the icepay plugin and it looks well coded - the exchange of info is hashed against a secretcode (producing e.g. this.. order_code=UnK5pugz10yygRMr5kDGE7p2HKc2FHgp )
I would check the server logs to see if this url was hit multiple times
(search for 'option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&pm=5&order_id=0d2a0148' in the logs)
if so one assumes they tried various hashes of SUCCESS until it worked .. otherwise they already knew the secretcode
otherwise the url was just "found" and re-called - resting the status...
I do notice that in the plugin there is no check for the current status... so maybe u can contact icepay and ask if they first check the status for logic (i.e. if shipped can't be Confirmed) b4 calling
$modelOrder = new VirtueMartModelOrders();
$order = array();
$order['order_status'] = $new_status;
$order['virtuemart_order_id'] = $icepay->getOrderID();
$order['comments'] = JTExt::_($icepay->getTransactionString());
$order['customer_notified'] = 1; //Wont send an e-mail though, buggy virtuemart stuff
$modelOrder->updateStatusForOneOrder($icepay->getOrderID(), $order, true);