Contributions
Pending Order Downloads
Will check order status and if it is Pending will not show a download link.
Simple fix to one file...downloads.php
Expand All / Collapse All
Some minor security issue.
Attacker was able to download files from pending order, by generating direct url:
download.php?order=40&id=20
/catalog/download.php:
------- Find:
// Die if file is not there
if (!file_exists(DIR_FS_DOWNLOAD . $downloads['orders_products_filename'])) die;
------- Add Below:
// Die if not delivered
require (DIR_WS_CLASSES . 'order.php');
$order = new order ($HTTP_GET_VARS['order']);
if($order->info['orders_status_id'] < 2) die;
Hope that's it!
p.s. Attached file contain fixed download.php.
Just the forum page
http://forums.oscommerce.com/index.php?showtopic=247713
Updated Jeff's version 2.00 to 2.10 to make it language-independent.
There is still the issue that the download days start immediately, and you will never know how fast the customer can make the bank transfer! I usually have the download days set to 2 days, that's perfect for PayPal, but an international bank transfer might easily take 1-2 weeks!
It would be nice to have something 'official' that would start the download days only when the order has reached the 'processing' (2) state and would either (a) disable the link whenever the state is set to 'Delivered' (3), or (b) automatically set the state to 'Delivered' when it has been downloaded...
Then again, how would we know if his download succeeded or he needs another go?
-----
CAUTION! This has been tested with a fresh install of osC 2.2MS2. Please READ the TEXT FILE before just copying over any files!
Changed the code...to fix a problem with checkout_success.php...
You only have to change two files, downloads.php and checkout_success.php
This will now not allow any pending orders to be downloaded in both areas. Any other order status will download as normal...
Added to the change to fix a problem with it showing download in Order Success display..Quick fix doesn't allow downloads in the Order Success Display...Will look into this futher when I get the time...If anyone else has a fix feel free to post.
Will check order status and if it is Pending will not show a download link.
Simple fix to one file...downloads.php
Note: Contributions are used at own risk.
download.php - minor fix
Forum page