Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The fact that the user can move around the checkout process phases using the links causes problems coming from the
fact that these are GET requests and thus interact with the browser cache and possibly invite issues
like duplicated payments and incorrect address data into the checkout.
Salut jcisio :)
All the requests should be POST requests in order to stay inside the FAPI setting and thus guarantee form data integrity.
Here's a patch that:
- Correct the hook_uninstall() function name typo.
- Add a hook_requirements at the runtime phase that signals the status of the links. Issues a warning if enabled.
- Add a hook_update_N() that disables the links.
Comment | File | Size | Author |
---|---|---|---|
#30 | disable_links_to-1997406-30.patch | 4.38 KB | nvahalik |
Comments
Comment #1
perusio CreditAttribution: perusio commentedHere's a patch that follows the proper naming conventions.
Comment #2
jsacksick CreditAttribution: jsacksick commentedThis could cause issues with the packaging script if we include into Kickstart.
We probably have to use $t = get_t(); here or st().
You're not using the $t here and it's not wrapped into the runtime condition.
Same here, we need the newline.
Comment #3
perusio CreditAttribution: perusio commented@jsacksick
Fixed patch attached. Thanks.
Comment #4
jsacksick CreditAttribution: jsacksick commentedYou didn't attach the correct patch :)
Comment #5
perusio CreditAttribution: perusio commentedarggh! :( Now it's correct.
Comment #6
jsacksick CreditAttribution: jsacksick commentedComment #7
jcisio CreditAttribution: jcisio commentedHey, thanks for being active perusio and jsacksick ;) I guess that the hook_update_N() is not necessary. If we were to change the default value, we should change it in variable_get(). In the current path, even if the site build explicitely sets the value to TRUE in the settings page, it is reverted to FALSE, which is something not expected.
Comment #8
perusio CreditAttribution: perusio commented@jsacksick
I cannot remove the
no newline at end of file
. Otherwise the patch fails.Comment #9
perusio CreditAttribution: perusio commented@jcisio If I post a patched module will you commit it and tag a new release?
Comment #10
jcisio CreditAttribution: jcisio commentedSure. The last stable was a year ago and site usage has increased x5 since then.
Comment #11
perusio CreditAttribution: perusio commented@jscisio @jsacksick
Patch against dev version attached.
Comment #12
jsacksick CreditAttribution: jsacksick commentedComment #13
jsacksick CreditAttribution: jsacksick commentedShould be variable_get for the if check (Not variable_set).
Why did you update that part ?
Comment #14
perusio CreditAttribution: perusio commentedUpdated patch with a description on the form.
Comment #15
perusio CreditAttribution: perusio commented@jsacksick indeed. Copy & paste snafu.
Comment #16
perusio CreditAttribution: perusio commented@jsacksick indeed. Copy & paste snafu.
Comment #17
perusio CreditAttribution: perusio commented@jsacksick it's an indentation fix.
Comment #18
jcisio CreditAttribution: jcisio commentedIs it only me or the commerce_checkout_progress_update_7001() is not really necessary? It does not change anything, unless later we are mad and decide to revert this default value change (aka if the variable is not set, leave it not set).
Comment #19
perusio CreditAttribution: perusio commented@jcisio Not really. The idea is to disable on sites where it is enabled since it can cause problems.
Comment #20
perusio CreditAttribution: perusio commentedI've added a minimal README.
Comment #21
jsacksick CreditAttribution: jsacksick commentedComment #22
joelpittetA few nit picks on the review of the latest patch.
This indent change is not necessary and is against the drupal coding standards.
Maybe use positive language here: "It's strongly advised to leave this disabled."
Comment #23
nvahalik CreditAttribution: nvahalik at Centarro commentedComment #24
nvahalik CreditAttribution: nvahalik at Centarro commentedRe-roll of this patch to work on latest dev. Fixed the formatting errors and included Joel's language suggestion. Slightly revised the README to be markdown friendly.
Also, hiding the other patches since they appear to be cumulative and a bit of a pain to go through.
Comment #25
joelpittetThank you for the fixes @nvahalik. Here are a couple on the new patch:
Wouldn't this change existing sites to FALSE that may have wanted to use links?
Should be a !placeholder not a concatenation inside this translation or it's effectively not translatable.
Probably don't need this comment.
Comment #26
nvahalik CreditAttribution: nvahalik at Centarro commentedJoel,
How about a compromise. We'll still disable the links (since again, that's the whole point this patch) but we'll also go ahead and issue a warning so that whether you're using Drush or you're doing your updates via the web, you'll get a nice warning message letting you know that you can turn them back on in the configuration (with a link).
Rerolled patch with Joel's excellent comments and a better warning for those who are updating.
Comment #27
nvahalik CreditAttribution: nvahalik at Centarro commentedComment #28
nvahalik CreditAttribution: nvahalik at Centarro commentedComment #29
joelpittetHow about setting their defaults to false like you have and leaving the existing sites be the way they have them? Put a warning if you'd like that they should disable them if you want but don't change existing sites.
Comment #30
nvahalik CreditAttribution: nvahalik at Centarro commentedOkay. Let's not change the functionality for existing users. But we'll add a proper warning during the update.
Comment #31
joelpittetDuplicate payments sounds horrible, but in my case I'm not taking payments till after the order is submitted so I'm not to worried about this, unless there is another reason these get requests cause issues?
Thanks for the change @nvahalik
Comment #32
nvahalik CreditAttribution: nvahalik at Centarro commentedOne potential issue would be if someone didn't realize that changes they've made to the existing cart page didn't get saved when they decide to go back to the cart. I think it's a pretty safe assumption that if you click on something in the cart to make further changes to it, that anything you've done on the existing cart page would be saved. It'd be no different than clicking continue. So in that regard, I think until at some point the links would properly post the request back to the cart and then redirect the user, not having them as regular links would be ideal.
Comment #33
nvahalik CreditAttribution: nvahalik at Centarro commentedComment #35
nvahalik CreditAttribution: nvahalik at Centarro commentedComment #37
keithn CreditAttribution: keithn as a volunteer commentedBy default, are these links still GET requests?
That is to say, is having the list render as links still causing integrity problems?
Thanks,
Keith