Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Preimum Accounts/Paypal Help

24

Comments

  • x00x00 MVP
    edited February 2012

    Obviously if paypal notifies, it won't share the same session as you, so it is little to do with he user begin logged in. Obviously the site has to be reached, so is public.

    There is no issue with the notify_url been known. If there was Paypal wouldn't include this option. Paypal is pinged to check out the authenticity of the notification and transaction still has to check out.

    grep is your friend.

  • OK, if isnt need the user be loged .. then other important security bug because i can upgrade any account from a simple html form.

    Only need know the paypal options in "/user/upgrade" form and send to "/user/upgrade/notify" by a simple html form submit. (i tested)

    This can be avoided with private IPN url.

    And flexigrid dont show the complete payments. Maybe exist other form to show log (eg html), flexigrid its complex.

    I leave the revisión and discussion of this plugin. Thanks : )

  • x00x00 MVP
    edited February 2012

    Only need know the paypal options in "/user/upgrade" form and send to "/user/upgrade/notify" by a simple html form submit. (i tested)

    @solonova I'm interested please provide steps.

    how do you get the ipn_track_id and txn_id?

    grep is your friend.

  • i can see some issue with PDT not IPN. I will fix that.

    grep is your friend.

  • And flexigrid dont show the complete payments. Maybe exist other form to show log (eg html), flexigrid its complex.

    the problem will likely be the query/data (the query uses a complex join which may produce different results). I chose flexigrid, for dynamic filtering and ordering, to try be helpful.

    grep is your friend.

  • x00x00 MVP
    edited February 2012

    I want to clear up some misunderstandings:

    solonova:

    I think an private IPN will be better because in your plugin, if the user dont return from Paypal (for example, the user close the navigator after paypal payment and not return) the payment not be registered in Vanilla bd.

    This assessment of IPN is wrong. IPN has nothing to do with you returning.

    IPN is asymmetric to the request, it is sever to server, not client to server. It has no awareness of your session.

    It also won't be spoofed, if you verify the IPN with paypal. If you just accepted the payment that would be wrong.

    All IPN are public, this is not a closed network. Just becuase you can register an ipn in paypal doesn't mean it isn't public, or they couldn't find it.

    In order for IPN to work you server has to be able to be reached.

    I fixed a PDT problem but so far this claim that IPN is spoofed is unsubstantiated.

    However anyone please try it. If there was I problem I would contact the guy in git hub.

    grep is your friend.

  • solonovasolonova New
    edited February 2012

    Thank you x00

    In my case:

    -Log flexigrid not show completed data

    -IPN data is public

    -When payments cancel users not remove from premium category

    Oh, i forgot, the title of this discussion have an error:

    **Preimum ** Accounts/Paypal Help

  • x00x00 MVP
    edited February 2012

    solonova I've been over with it with you. I'm here to help people who are genuinely interested, not people who are sarcastic and bitter, or trying to shit stir.

    You said you were not using this plugin. I offered to look into your problem, you withdrew access before I could look. You also declined to substantiate.

    What more can be said? If anyone else is experiencing problem I'm happy to help, so long as they are civil.

    Btw you could always make your own plugin.

    Just a note, especially when addressing the core team, not a good idea to act with a sense of entitlement. Having look at some of you posts, such as the one where posted an alarm clock. People have been banned for less, when addressing the core team. They especially don't appreciate sarcy tone and ironic smilies.

    I'm not going to be arguing with you further.

    grep is your friend.

  • What? x00 i am only need to say my experience with your plugin because maybe help somebody.
    Sorry, i think you dont need access to my server for solved the plugin bugs.
    I was mad founding the plugin errors and tell to you not for damage your ego but to be correct it, but instead correct you have offended.

    Its not a problem because i know is a beta version. I am sad for your reaction, Please sorry if I offended you.

    Sorry, bye.

  • x00x00 MVP
    edited February 2012

    Whatever, don't believe you for a minute not born yesterday. If you don't substantiate on bugs I can't help you.

    Considering you are new to this framework and not as knowledgeable as you seem to think, I wouldn't teach grandma to suck eggs as well.

    grep is your friend.

  • Its ok x00. Sorry me please, i am only want to help.

  • I'm in sandbox mode, and I do lose money in one account and gain in the other, but the user who paid isn't getting promoted (to Premium, a new role i created and put in this addon's settings).

  • @zipboxer did you check this:

    http://cl.lk/2256497

    grep is your friend.

  • edited March 2012

    x00 said:
    @zipboxer did you check this:

    http://cl.lk/2256497

    Yeah, Payment Review disabled on default.

  • x00x00 MVP
    edited March 2012

    are you on a localhost environment?

    grep is your friend.

  • x00 said:
    are you on a localhost environment?

    Yes

  • x00x00 MVP
    edited March 2012

    ah this is your problem becuase paypal has no way of pinging you for ipn

    grep is your friend.

  • x00 said:
    ah this is your problem becuase paypal has no way of pinging your for ipn

    Ohh, so if I enter my site through my global IP that problem is solved?

  • yes (hopefully...) but the transaction has to come from there in the first place. so the old ones are not.

    grep is your friend.

Sign In or Register to comment.