So I was messing around with my cart and discovered something interesting. We could end up with orders of negative value. For fun I proceeded to the Moneris HPP to see what it would do. The HPP indicated that the transaction was for a negative value and successfully posted the transaction back to the site. Because HPP is not designed to process negative transactions, it produced a response code of "Null" and HPP accepted that response code as a successful payment, which it should not have.
My immediate solution to fix this on my own site is to implement a minimum transaction amount for the Commerce Moneris HPP rule. This is a temporary solution and won't necessarily prevent Null response codes in the future.
EDIT: Another way of producing a "Null" Moneris Response Code is to click the browsers back button after the payment has been accepted. The browser goes back to the last step Moneris' payment process (where it posts values back to the website) and then returns the Null value to the site and associates it with the same order. There is no apparent way to prevent this.
Comment | File | Size | Author |
---|---|---|---|
#10 | 2062433-10.patch | 6.08 KB | rbrownell |
#8 | 2062433-1b.patch | 6.42 KB | rbrownell |
#7 | 2062433-1a.patch | 6.13 KB | rbrownell |
#3 | 2062433-1.patch | 6.19 KB | rbrownell |
Comments
Comment #0.0
rbrownellcorrected grammer
Comment #1
rbrownellIt appears that the function looking for the null value is case sensitive (it searches for 'null'). When Moneris HPP posts back to Drupal it does so with a 'Null'. I am going to create a patch to remedy this using a case insensitive comparison.The HPP component of the Commerce Moneris module didn't have a function coded that handled 'null' response codes. I am currently working on a patch for this.
Comment #2
rbrownellSo here is my somewhat extensive patch...
Upon working on this I discovered that null values occur for a number of reasons:
response_code
and amessage
indicating that the submitted order id was already processed. This can occur when one presses the back button of their browser after the payment was completed. This also puts the order state back into the checkout state, which if the payment was already successfully completed is undesirable.response_code
and amessage
indicating that the amount submitted is invalid.The attached patch changes functions related HPP only.
Patch Changes:
checkout
state before attempting to process the transaction.completed
orpending
states it simply goes back to the completed page, does not add any more transactions, and prints a status message indicating that payment was already submitted.response_code
is handeled.response_code
.Notes:
COMMERCE_PAYMENT_STATUS_CANCELED
does not produce a valid Payment status., so recording transactions if the checkout is already complete is unnecessary. This will need to be confirmed in the US.shopping_cart
andcancelled
from being unintentionally put into the checkout process.Everything here has been tested for production HPP in Canada. I would appreciate someone testing it for production HPP in the United States... I couldn't find an American integration guide for Moneris HPP.
Comment #3
rbrownellAttaching the patch here... (Had to re-roll it against the latest dev.)
Comment #4
rbrownellComment #5
rbrownellComment #6
rbrownellComment #7
rbrownellJust realized my initial patch included a
drupal_set_message
that I used for developmental purposes... This one does not have that message.Comment #8
rbrownellYet another revision of my patch... Upon further reflection, for accounting purposes, every post to Drupal whether a successful transaction or a failed one should probably be attached to the order's history. This patch causes Changes #5-1 and #5-2 (listed above in previous comments) to write the transaction results anyways.
Comment #9
rbrownellSo I was thinking about this this morning and I came to realize that probably the best way to prevent the problems associated with the back button is to use the Transaction Verification feature in HPP #2068601: Implement HPP Transaction Verification so that each and every transaction is properly verified.
Another layer of fool proofing is to setup HPP to load within an iFrame #2050527: HPP in Frame that way the back button will take the user to a page that is generated by Drupal and any code used to display the iFrame could validate that the cart is in the Checkout: Payment status before doing so. (I will look into this sometime soon
this week.)Other thoughts about the logic I built into the patch that need to be improved are:
Notes:
and "Pending" order states.I will work on a new patch for this today.
Comment #10
rbrownellWow. What a ride! Fix one thing, break another, fix that, discover other unrelated problems... Who knew contributing to modules would be so much fun!? (Believe me, I have a whole new respect for maintainers now.)
I have implemented all of the changes mentioned above and after running a 32 scenario test suite, have thoroughly tested it for HPP in Canada.
Additional Changes:
Notes
message
returned value uses the same key.Comment #11
rbrownellComment #12
rbrownellComment #13
rbrownellComment #14
rbrownellCommitted to 7.x-1.x-dev.
Comment #15.0
(not verified) CreditAttribution: commentedAdded new way of producing Null values.