Drupal Commerce Issue Queue

Redirection to offline payment without form_id in POST

Sat, 04/12/2014 - 11:25

Can anybody help, how can I redirect users to external payment service using CALLBACK_commerce_payment_method_redirect_form and not sending form_id and form_token?

These values cause my redirection failed, because the external website does not accept such POST keys. The external payment service accepts only predefined possible POST keys.

Is there any solution? Can I just remove these keys, is it a good practise or it is a security risk?

Categories: Issue Queues

NULL queries break entity query access control

Fri, 04/11/2014 - 08:07

Seen and hunted down in #2218119: Only one billing or shipping address shown in address book tab for authentificated user, how to reproduce:

* Want to see all commerce_foo that join to NO commerce_bar
* Create a query of some commerce_foo object, join some commerce_bar object
* filter comerce_bar for null values

Result: Non-admin with "view own commerce_bar" but not "administer commerce_bar" does not see any rows
Expected: Sees some rows.

Background: commerce_entity_access_query_alter() adds condition "commerce_bar.uid=current-user":

  // If the given entity type has a user ownership key...
  if (!empty($entity_info['access arguments']['user key'])) {
    // Perform 'view own' access control for the entity in the query if the user
    // is authenticated.
    if ($account->uid && user_access('view own ' . $entity_type . ' entities', $account)) {
      $conditions->condition($base_table . '.' . $entity_info['access arguments']['user key'], $account->uid);

It should add: "commerce_bar.uid=current-user OR commerce_bar.uid=NULL"
(This also applies to the other conditions that are added in this function above that code.)

Categories: Issue Queues