Call to specific url on frontend changes order status!

Started by ronaldotto, April 12, 2015, 17:54:55 PM

Previous topic - Next topic

ronaldotto

Hi,

A not logged in user can change the order status by calling a specific url.
Thus: A customer places an order.
Order is paid so status changes to confirmed.
Shopmanager changes status to shiped.

View days later, the shomanager get's an e-mail that says: Status changed to confirmed.

We figured out that calling the url changes the status
/index.php?option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&pm=5&order_id=0d2a0148&order_code=UnK5pugz10yygRMr5kDGE7p2HKc2FHgp

The plugin called is from icepay. Probably the callback url for a succesfull payment...

What to do?
Is it a bug in virtuemart or the plugin?

VM 2.6.16 on Joomla 2.5.28


GJC Web Design

One assumes the order was previously "Confirmed"

I looked at the icepay plugin and it looks well coded - the exchange of info is hashed against a secretcode (producing e.g. this.. order_code=UnK5pugz10yygRMr5kDGE7p2HKc2FHgp )

I would check the server logs to see if this url was hit multiple times

(search for 'option=com_virtuemart&view=pluginresponse&task=pluginresponsereceived&pm=5&order_id=0d2a0148' in the logs)

if so one assumes they tried various hashes of SUCCESS until it worked .. otherwise they already knew the secretcode

otherwise the url was just "found" and re-called - resting the status...


I do notice that in the plugin there is no check for the current status... so maybe u can contact icepay and ask if they first check the status for logic  (i.e. if shipped can't be Confirmed) b4 calling

$modelOrder = new VirtueMartModelOrders();

                        $order = array();
                        $order['order_status'] = $new_status;
                        $order['virtuemart_order_id'] = $icepay->getOrderID();
                        $order['comments'] = JTExt::_($icepay->getTransactionString());
                        $order['customer_notified'] = 1; //Wont send an e-mail though, buggy virtuemart stuff
                        $modelOrder->updateStatusForOneOrder($icepay->getOrderID(), $order, true);
GJC Web Design
VirtueMart and Joomla Developers - php developers https://www.gjcwebdesign.com
VM4 AusPost Shipping Plugin - e-go Shipping Plugin - VM4 Postcode Shipping Plugin - Radius Shipping Plugin - VM4 NZ Post Shipping Plugin - AusPost Estimator
Samport Payment Plugin - EcomMerchant Payment Plugin - ccBill payment Plugin
VM2 Product Lock Extension - VM2 Preconfig Adresses Extension - TaxCloud USA Taxes Plugin - Virtuemart  Product Review Component
https://extensions.joomla.org/profile/profile/details/67210
Contact for any VirtueMart or Joomla development & customisation