Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This module integrates EuPlatesc.ro payment gateway into the Drupal Commerce payment and checkout systems.
Manual Reviews of Other Projects
Project link
https://www.drupal.org/project/commerce_euplatesc
Git instructions
git clone --branch 8.x-2.x https://git.drupalcode.org/project/commerce_euplatesc.git
Comments
Comment #2
apadernoComment #3
adevms CreditAttribution: adevms at REEA commentedComment #4
BramDriesenHi,
First thing I did was running phpcs on your project and there are quite some things to be re-worked. I would reccomend you to fix those issues first before I (or anyone else) proceeds with the review.
Here is a list of the issues identified.
I did notice you have the following in your info.yml while quickly browsing through your project.If I'm not mistaken you should not specify the core: 8.x key if the core_version_requirement key is present in your info.yml file.Ignore the part above about the core key :-).
However you can also specify the drupal requirements in the composer.json.
(Example from https://www.drupal.org/node/3070687)
Comment #5
adevms CreditAttribution: adevms at REEA commentedHi BramDriesen,
Thank you for your review.
I've fixed all of the issues listed.
Comment #6
apadernoI added the PAreview checklist link.
It reports wrong line endings in some files and wrong indentation in some lines. Without other issues, I would not consider them application blockers.
Comment #7
maheshpa CreditAttribution: maheshpa as a volunteer and at iHorizons commentedHi @Adevms,
Manual Review
Comment #8
maheshpa CreditAttribution: maheshpa as a volunteer and at iHorizons commentedComment #9
BramDriesenI don't see what that would be needed. If it's null or empty it simply would be ignored by the foreach loop.
Comment #10
maheshpa CreditAttribution: maheshpa as a volunteer and at iHorizons commented@bramDriesen
The review point shared #7 is not blocker but if $order variable null or empty then $order->getItems() generates the warning calling undefined methods on$order object. So I added my comments.
Comment #11
BramDriesenI highly doubt it is possible to end up in the payment gateway if you don't have an order object. I'm quite sure Drupal Commerce has things in place to catch or prevent that from happening.
Comment #12
BramDriesenAutomated Review
PAreview is still giving a few remarks http://pareview.net/r/35 but certainly a lot less as before! :)
Note that perfect adherence to Drupal Coding Standard is NOT a reason to block an application, except for total disregard of them. However, modules should follow them as closely as possible.
Manual Review
== "0"
do you need to check for string 0? Why double quotes (module uses single almost everywhere, should be consistent). Preferably always do strict checking===
.$data
. But the issue is that if setEuPlatescCheckoutData goes into an error and doesn't return any data to be processed, the$data
array will not exist and you'll get a fatal error on thebuildRedirectForm
because the array doesn't exist. This can be fixed by simply initiating a empty array before processing the foreach.The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.
This review uses the Project Application Review Template.
Comment #13
BramDriesenI accidentally put my review in the issue summary (didn't have my coffee yet ☕😅). I reverted it back and put my actual comment in the comment. Updating to needs work for the * items.
Comment #14
adevms CreditAttribution: adevms at REEA commentedThank you guys for your reviews.
I've made the changes pointed out in previous comments.
Comment #15
klausiThanks for you contribution!
manual review:
Although the weak hash functions and the timing attack weakness are not easily to exploit security vulnerabilities (at least not as far as I can see here), I think they need to be fixed before we can give security coverage for this module. Is there a way you can work with the payment gateway provider to implement a workflow with modern and secure hash functions and signatures?
Comment #16
apadernoComment #17
apadernoI am closing this application since there have been replies in the past 5 months.