Child pages
  • [in-commerce] Payment Gateways Blocked [5.0.1]
Skip to end of metadata
Go to start of metadata

Imported From: http://groups.google.com/group/in-portal-bugs/browse_thread/thread/1fa00507a6a863e2#

Hello guys,

as per my searches, all in-commerce installs from 5.0.1 feature a new security, an .htaccess in in-commerce/units.

This .htaccess is just a "deny from all", and thus all payments done via gateways can't escape the "incomplete" state, as the notify script isn't reachable from front.

I propose to add an exclude for notify_scripts directory.

Related Tasks

MINC-48 - Getting issue details... STATUS

13 Comments

  1. Additionnally, when I de-activate the .htaccess, I obtain a "you are
    not authorized to perform this action" message when I clic on "return
    to store" button in gateway window, while the payment correctly
    appears in "To Ship" tab.
  2. Maybe that .htaccess rule should be inverted to allow from all

  3. isn't the same as removing completly htaccess?

    Unauthorized access to payment processing files could lead to security
    problem, if someone try to POST infos about orders, isn't it? That's
    why I would prefer to have a exclude, or a .htaccess for notify
    scripts directory, up to you ^-^

    And the "you are not allowed to perform this action" is still here
    when we are back on the website to display the checkout success page.
    More info: user is logged off when I see this page.

    p.

  4. If .htaccess from one of the parent directories also implied mass deny, then
    setting allow rule at end folder will help. Yes, payment gateway processing
    scripts should be accessible for every one. For example default
    in-commerce/gw_notify.php is visible to everyone.

  5. yes, gw_notify need to be accessible, but "units" dir and subdir shouldn't
    be, while "notify" dir should be, right?

    I've found this error reading apache logs, but I have no idea why users are
    now logged off and have this error message...

    2010/3/15 Alexander Obuhovich <aik.b...@gmail.com>

  6. Hi Phil,

    Correct, this seems to be a bug.

    Create .htaccess file under
    in-commerce/units/gateways/gw_classes/notify_scripts/

    with the following content:

    allow from all

    I have created a task for 5.0.3 here

    623: Open access to Gateways Notification scripts by adding .HTACCESS

    MINC-48 - Getting issue details... STATUS


    DA

    On Mon, Mar 15, 2010 at 4:46 PM, Phil ..:: domicilis.biz ::.. <

  7. Hi Dmitry,

    thank you for your reply, and the task for correcting.

    Please note, as described before, that order process on front-end is NOT
    completing, and lead users to error message and are logged-off, any idea on
    this?
    For info, when the order was successfull on front-end but not completed in
    admin, we didn't had this problem on front.

    Phil.

    2010/3/15 Dmitry Andrejev <dandre...@gmail.com>

  8. Hi Phil,

    Did you try now with new .htaccess?

    DA.

    On Mon, Mar 15, 2010 at 5:17 PM, Phil ..:: domicilis.biz ::.. <

  9. Hi Dmitry,

    I've done my tests without any htaccess, and as I said in my posts, this
    time order is correctly received and appears in "to ship", meaning that
    notify script have been executed.
    It works even without going back to the website, meaning that automatic
    return link from gateway server to in-portal works perfectly.

    Phil.

    2010/3/15 Dmitry Andrejev <dandre...@gmail.com>

  10. Phil,

    I am still confused what's not working then...

    DA

    On Mon, Mar 15, 2010 at 6:29 PM, Phil ..:: domicilis.biz ::.. <

  11. Dmitry,

    here is the resume:

    - when "deny from all" is setup in unit folder :
       - orders succesfully paid stays as incomplete (and cart isn't emptied)
       - customer have a "thank you for your order" message (checkout_success tpl)

    - when there is NO htaccess in unit folder :
       - orders paid are processed and are in "to ship" state (and cart is emptied)
       - customer are logged out, and surely because of that, customer
    have a "you are not allowed to perform this action" message
    (in-commerce/no_permission.html?next_template=in-commerce/checkout/checkout _success)
    instead of checkout success page

    Do you have an in-commerce install to do your own tests? The result
    should be the same using all type of gateways, as it seems to be a
    problem after GW action.
    I can provide you an access to live website to test this if you don't
    have a test install.

    Phil.

    2010/3/16 Dmitry Andrejev <dandre...@gmail.com>:

  12. Thanks for clarification Phil,

    We'll do these tests on 5.0.3 in a day or say and will update you.

    DA.

    On Mon, Mar 15, 2010 at 6:52 PM, Phil ..:: domicilis.biz ::.. <

  13. ok, if you need any help in testing, I can provide you a real and
    fully setup env.

    2010/3/16 Dmitry Andrejev <dandre...@gmail.com>: