Post by straightlight » Mon Dec 04, 2017 12:05 am

A long time reported issue. When a customer reports a returned product with a specific ID, this ID can also be switched pretending to be originating from another product that may have never been purchased and to be returned. The current solution would be considered as a bug since the product ID no longer matches the first occurrence of the URL in order for the merchant to process the change in the admin-end which would create a falsified order. Followed is an enforced strategy for customer to remain with the same product declaration which the returned order / product will only be accepted when the customer has truly visited the account/return/info page. Otherwise, it gets redirected to the account/return/info . Obviously, if the customer is not logged in either, he will get redirected to the login page already which completes the enforcement of returning a product in legate terms since the return action is also relative in this case for the URL / HTML Form.

In catalog/controller/account/return.php file,

find:

Code: Select all

if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
			$this->model_account_return->addReturn($this->request->post);

			$this->response->redirect($this->url->link('account/return/success', '', true));
		}
replace with:

Code: Select all

$this->load->model('account/order');

if ((!isset($this->request->server['HTTP_REFERER'])) || (!preg_match("/[?|&]route=account\/return\/info/", html_entity_decode($this->request->server['HTTP_REFERER'])) && $this->request->server['REQUEST_METHOD'] != 'POST')) {
	$this->response->redirect($this->url->link('account/return', '', true));
	
} elseif ((!isset($this->request->get['order_id'])) || (isset($this->request->get['order_id']) && !$this->model_account_order->getOrder($this->request->get['order_id']))) {
	$this->response->redirect($this->url->link('account/return', '', true));
	
} elseif ((!isset($this->request->get['product_id'])) || (isset($this->request->get['order_id']) && isset($this->request->get['product_id']) && !$this->model_account_order->getOrderProduct($this->request->get['order_id'], $this->request->get['product_id']))) {			
	$this->response->redirect($this->url->link('account/return', '', true));
			
} elseif (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
	$this->model_account_return->addReturn($this->request->post);

	$this->response->redirect($this->url->link('account/return/success', '', true));
}
Then, in the add() method, find the second instance of:

Code: Select all

$this->load->model('account/order');
remove it.

This should rectify the issue.
Last edited by straightlight on Mon Dec 04, 2017 4:21 am, edited 2 times in total.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member
Online

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Mon Dec 04, 2017 1:00 am

Improved modification on the above.

Edit: Improved it one last time. This should be protected enough.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member
Online

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 6 guests