Hi Aporie,

I need again your support with the release of the version 1.2 of the module, as this last version seems to have changed the way Escrow payments are released, and this is blocking the way my website works. Reading the release notes of v1.2, I guess this is coming from the following new feature:

Implementation of transaction hash so user don't see the transaction ID.

Explanations of my issue:
From the other issues I have posted you know that my website requires to have the commerce funds transactions (Escrows) automated. This automation was done using Rules, thanks to the very great support you did to integrate this module into Rules and the clear tutorial your have also provided as documentation.
The workflow on my website until v1.1 of commerce funds is as follows:

Step 1:
User A posts an ad and offers a single task job to the other users against a given amount of money (decided by User A)

Step 2:
Other users interested to perform this job are postulating to this ad

Step 3:
User A selects one of the postulants (let’s say User B) to perform the job. At that step, the website withdraw from User A account the amount offered for the job (+ fees). This is done automatically using Rules with a pending Escrow triggered when User A validates a postulant selection form. All this is done in accordance with your documentation, with Rules actions Create new transaction (type Escrow) and Perform transaction.
So that User A pays at the start for the service is asks for, but User B doesn’t receive the money yet.
At that step also, my system records the transaction ID of the created Escrow and copy it in a field linked to the published job node for later use.

Step 4:
User B performs the single task job offered by User A

Step 5:
User A fills another form on the website to confirm that the job has been performed by User B. When doing so, the pending Escrow is released/completed and User B gets the money from User A on his account (and fees are paid to the site admin).
This is also done automatically using Rules, with Rules action Page redirect to URL /user/funds/escrow/release/ transaction_id?action=release-escrow, where transaction_id is the transaction ID recorded in the database at step 3. (If done manually, there is a risk that User A confirms the job has been done but doesn’t trigger the payment release to User B, that’s why it has to be automated).

Now since version 1.2, my step 5 is not working anymore, as it seems that the URL /user/funds/escrow/release/ transaction_id?action=release-escrow is no more existing, in order to hide the transaction ID to the user.

At the start I was indeed a bit annoyed to have the transaction ID visible in the URL as somehow it shows the site mechanism to the user. Anyway because the module only allows each user to perform his own issuer transactions and prevents users to act on the transactions of other users, there was for me no security breech. In the worst case if the user is playing with the URL, the only consequence could be that he releases a payment withdrawing money from his own account, which is in the interest of no hacker.

In the end, I think I understand the security improvement which has been done, however I couldn’t find a solution with this new way of handling transaction ID to have the Escrow completed using Rules, allowing User B to get the money at step 5 from the transaction whose ID has been recorded at step 3.

Is there any solution for this issue?
For instance adding a new Complete Escrow action in Rules with the transaction ID as parameter?
Or a new URL to be redirected to, using the hashed transaction ID?

At the moment, I need to reverse to v1.1 and I cannot upgrade to 1.2.

Thanks!

CommentFileSizeAuthor
#7 CF tuto.zip319.67 KBarno2mars
#5 uuid_as_hash.png33.41 KBaporie
#3 transaction_hash.png71.67 KBaporie

Comments

Arno2Mars created an issue. See original summary.

aporie’s picture

Hi Arno2Mars,

Didn't take a deep look but yes, the last release removed the possibility of accessing transactions with their ID.

Do you have the transaction hash automatically populated in Rules? You should rebuild your workflow with the following URLs:
/user/funds/escrow/release/ transaction_hash?action=release-escrow (transaction_id ==> transaction_hash).

Well if it's not automatically in Rules, I will take a deeper look when I have time. Thanks for the detailed description, it will help.

aporie’s picture

StatusFileSize
new71.67 KB

So you might need to change your field transaction id by a plain text field called "field_hash" for example at your step 3:

Transaction hash

It will then store the transaction hash in your field. You can then use it to create your redirection URL at step 5 "/user/funds/escrow/release/ transaction_hash?action=release-escrow".

WARNING: If you have some uncompleted transaction you'll lose the mapping ID to HASH when deleting your field_transaction_id. If there is no ongoing transaction when you do that change, it should be transparent for your users.

Hope this helps

arno2mars’s picture

Hi Aporie,

Thanks for your reply, impressive reactivity as always.

Just tried that, however this is making the site going down, with the following error logged:

Recoverable fatal error: Object of class Drupal\Core\Field\FieldItemList could not be converted to string in Drupal\Core\Entity\Sql\SqlContentEntityStorageSchema::castValue() (line 2546 of \core\lib\Drupal\Core\Entity\Sql\SqlContentEntityStorageSchema.php) #0

Then I tried to use entity.hash.value instead of entity.hash in the Rules parameter, but this time I have this error in the log:

Drupal\Core\Entity\EntityStorageException: The parent property is not a list or a complex structure at 'hash.value'. in Drupal\Core\Entity\Sql\SqlContentEntityStorage->save() (line 846 of \core\lib\Drupal\Core\Entity\Sql\SqlContentEntityStorage.php).

So it seems that the hash cannot be turned into string, or am I doing something wrong maybe?

Thanks again,
Regards,

aporie’s picture

StatusFileSize
new33.41 KB

Hi again,

So the thing is that we need to generate a random hash for the field. Again I don't understand why Rules doesn't seem to use the entity creation as usual. I would have thought that letting the field hash empty in the "create transaction" rules would have generated the hash automatically (it's how it works as designed in the field definition).

Anyway, I've found an equivalent workaround which has no security implication. You can use the uuid of your node for the hash (It won't create any uuid collision as your node and your transaction will still have two different uuid, it's just that we use it for the transaction hash).

So at your step 3 I think you can now get rid of storing the transaction id in your field as the node itself store the transaction hash (its uuid). Just make sure when creating your transaction you use the node uuid as hash:

UUID as hash

It should do the trick.

In the worst case if the user is playing with the URL, the only consequence could be that he releases a payment withdrawing money from his own account, which is in the interest of no hacker.

Well, if it's possible it's an issue I need to take care of.
[Edit] Checked and the issuer of the withdrawal request can't access withdrawal operations. So it's good.

arno2mars’s picture

Thanks a lot Aporie!

With your help and hints, I could manage to adapt my workflow and get things work with the hash.
Just few precisions in case some other users read this post one day:

1- In the transaction_hash.png, entity.hash.value has to be used instead of entity.hash

2- It seems that the generated URL for releasing the Escrow has changed compared to former versions of the module.
Before: /user/funds/escrow/release/transaction_id?action=release-escrow
Now: /user/funds/escrow/manage/release/transaction_hash?action=release-escrow (/manage/ has been added on top of the replacement of the ID by the hash)

The least I can do to thank you is to contribute in my turn to this great module. As my poor developper skills do not allow me to propose any new functionality nor module upgrade, I propose myself to adapt the module documentation, and update your Using Rules with Commerce Funds tutorial to reflect the latest changes implemented in the v1.2. I'll try to post that tomorrow, so that you can copy/paste to your website.

Hoping it helps, and thanks again for your great support!
Cheers,

arno2mars’s picture

StatusFileSize
new319.67 KB

Hi Aporie,

As promised, I have attached a zip file with an improved tutorial (mainly based on the one you has provided already), adding in particular the instructions how to release an Escrow using Rules, which were missing.
I saw that you had already implemented the instructions for the hash, however I have also added some precision and guidance in the different sections. I did it keeping in mind what were my own needs for Rules integration, and what was my experience of combining the two modules, which I guess could be also applicable to other site builders, so I hope this can help! :-)

Thanks again for all the issues you solved for me :-)
Regards,

aporie’s picture

Status: Active » Fixed

Hi,

Well, thank you! I'll update the tutorial with your adding asaic.

Yes you're right, I changed the paths to be more coherent:

- /user/funds/escrow/manage
- /user/funds/escrow/manage/release

It can be usefull for people who hardcoded them (didn't think about it). The power of symfony is to use routes, so developers won't probably have seen this change ;)

Thanks again for all your analysis, it helps a lot to improve this module!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.