Looking at the code for commerce_rma_new_return_is_possible, the module pulls the latest revision timestamp to determine if the order is refundable. However, if an admin user creates an order, they have the ability to set the created date as some time in the past. In this situation, the created date is in the past but the revision is created now so the user will be able to refund the item when they should in fact not be permitted to.

Comments

yaworsk’s picture

yaworsk CreditAttribution: yaworsk commented

Not as straight forward as I thought... went to write the patch but realized, a user could create an order and come back to it later to pay and have it go to completed so it makes sense to look at the revision table.

However, how realistic is it that a user would let days, weeks or months go by before paying for and completing an order? Before I write the patch, just wanted to get consensus on whether it should in fact be the revision history or the created date - i'm still leaning towards created date as:

1. the refund period begins with whatever date we choose - since the created date would be further in the past, you would not let inadvertant returns occur where as revision dates could.

2. if a user should complete their order days, weeks or months later, an admin could still complete the return for the user at their discretion. This seems less invasive than allowing returns which should not in fact be returnable.

Thoughts?

travis-bradbury’s picture

travis-bradbury CreditAttribution: travis-bradbury commented

As a user of e-commerce I often add things to my cart without immediately completing the purchase. I've definitely had items in a cart for weeks before completing it. Sometimes it's so that I can get far enough in the process to determine what shipping charges will be.

I'm not sure that my behavior is normal, but I'd rather see the refund time look at the first time the order reaches "completed" status.

RAWDESK’s picture

RAWDESK CreditAttribution: RAWDESK commented

I agree with the last sentence at #2.
Even stronger, i'd wait until shipment has been confirmed completely, in case it concerns physically delivered goods.
Imagine yourself as an e-commerce customer ordering something in China, and you have to wait 10 days for delivery, i'd rather have 14 days then only 3 or 4 to check my purchase thoroughly.
In my current project, our shipping partner is confirming delivery through a webservice and i am considering to have rma authorization period started from the effective date of delivery.

So a hook in the API would be aprreciated to have the 'start refund time' custom setted..
Didn't check, but anybody knows if there is one ?