[3.0.x.x]Added Opayo Payment

[condor2]

No description provided.

[ADDCreative]

There is a XSS issue in this payment extension that needs fixing. If I do a pull request to fix it will you be able to fix in the original source of the extension you added?

[condor2]

Opayo was added from here
https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=36557

I can't make changes there.

[mhcwebdesign]

Is it from here: https://github.com/Dreamvention/opayo/tree/3.x.x ?

[mhcwebdesign]

There is a XSS issue in this payment extension that needs fixing. If I do a pull request to fix it will you be able to fix in the original source of the extension you added?

Can you do a pull request please here and at https://github.com/Dreamvention/opayo/tree/3.x.x ?

[ADDCreative]

@mhcwebdesign See #13519 and also 4 pull requests to the other source.

[mhcwebdesign]

@mhcwebdesign See https://github.com/opencart/opencart/pull/13519a and also 4 pull requests to the other source.

Thanks, let's wait till we hear back from dreamvention before merging it to here. In particular, I can't find any code calling the method order (defined in admin/controller/extension/payment/opayo.php) in OC 3.0.x.x, so I am not sure whether it's supposed to be
$data['user_token'] = $this->request->get['user_token'];
or
$data['user_token'] = $this->session->data['user_token'];

[condor2]

And this

https://github.com/opencart/opencart/pull/13501/files

[mhcwebdesign]

And this

https://github.com/opencart/opencart/pull/13501/files

Again, please also repeat the pull request on https://github.com/Dreamvention/opayo/tree/3.x.x , so that dreamvention (who appears to be author) can review it first.

[mhcwebdesign]

I have now contacted dreamvention, asking them to look into it all, and to test it all out.

[ADDCreative]

Thanks, let's wait till we hear back from dreamvention before merging it to here. In particular, I can't find any code calling the method order (defined in admin/controller/extension/payment/opayo.php) in OC 3.0.x.x, so I am not sure whether it's supposed to be $data['user_token'] = $this->request->get['user_token']; or $data['user_token'] = $this->session->data['user_token'];

@mhcwebdesign It's called at.

opencart/upload/admin/controller/sale/order.php

Line 1211 in 5e8fa27

$content = $this->load->controller('extension/payment/' . $order_info['payment_code'] . '/order');

The user token should always be used from the session as that is where it is originally set. While in reality using the GET parameter wouldn't cause any problem, it's bad practice. Everywhere else in the code the session value is used.

opencart/upload/admin/controller/sale/order.php

Line 241 in 5e8fa27

$data['user_token'] = $this->session->data['user_token'];

[ADDCreative]

I have now contacted dreamvention, asking them to look into it all, and to test it all out.

@mhcwebdesign Thanks. Could you also inform them they have exactly the same issue in their PayPal extension.

[mhcwebdesign]

Looking at the Dreamvention github repository, there are some other significant differences between theirs and what's currently in OC 3.0.x.x . In particular I noticed some changes in the catalog/model/extension/payment/opayo.php where someone added something like this to the file:

	public function recurringPayment($item, $vendor_tx_code) {
		$this->load->model('checkout/recurring');
		$this->load->model('extension/payment/opayo');
		
		if (VERSION >= '3.0.1.0') {
			if ($item['recurring']['trial'] == 1) {
				......
			}
			......
		} else {
			if ($item['recurring_trial'] == 1) {
				.....
			}
			.....
		}
		.....
	}

The else branch is wrong, the logic for the cart items with recurring details has always been the same for OpenCart 3.0.0.0 to 3.0.3.9 ! The original Dreamvention github repository does not have this wrong version compare logic!

So who has added it? I can see the same wrong logic in the version from the OpenCart marketplace at https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=36557