stop bypass the checkout and get the download link

[natashome]

hi

 

i have items that are supposed to be downloaded after purchase. however on the checkout_confirmation.php page if you simply put checkout_success.php you get the download link and you didn't paid anything for it...any security fix for that?

thanks

[Ben Nevis]

When I tried it just now I found that I was getting the last order I had paid for coming up - ie had to be logged in as the customer, had made a previous purchase, the link that came up was the link for the previous purchase not the item I had in my basket. I didn't get any free download. Ideally switching from process to success without payment ought to redirect to the payment page again, but do you get things you have not previously purchased coming up?

[germ]

I've seen some (reliable) posts that say if you install Super Download Shop this solves the problem.

 

I haven't tried it so I can't say for sure that this works.

:blush:

 

Added in edit:

 

An extensive thread on this subject is here

[Ben Nevis]

Hmm, so having read through all the way through that thread and tried again at the confirmation stage, so far as the current Paypal IPN/Standard issued with RC2.2a is concerned it seems that the order status by this exploit is set to the Paypal 'Preparing Order Status' - not a problem so long as that is a status lower than needed to make downloads available. Discussion on that thread seemed to suggest installing SDS doesn't make a difference although I do have it.

 

The Paypal 'Acknowledged' status can still be high enough to allow download automatically when Paypal has actually acknowledged the payment. Didn't try other payment modules...

[germ]

My (very limited) understanding of the problem is that it is only applicable to stores selling downloads and using Paypal as the payment method.

[Ben Nevis]

My (very limited) understanding of the problem is that it is only applicable to stores selling downloads and using Paypal as the payment method.

Seems so, although that is precisely the position that many osc users selling digital products will be in - like me. But anyway at least the problem does seem to be resolved to some extent in RC2.2 provided the Paypal 'Preparing Order Status' isn't high enough to allow a download. Don't think it should be possible for the order to be accepted and appear in the order table in this way though...

[natashome]

i have read all the thread as well and also installed the Downloads Controller. Now as someone mentioned in that thread people these days would like to get what they paid for instantly. Putting the order on a hold status when a customer maybe purchases the item at 3AM or when you're not able to update the order status to allow him to get a download link isn't quite fun..i am using the paypal standard but i saw that other paypal modules have this conflict as well...it's sad since a lot of people use OSC and paypal and have download items

[Ben Nevis]

Yes, Natashome, but have you checked your Paypal settings in admin? Have you by any chance got the Paypal 'Preparing Order Status' set to 'Download Available'? Or do you have it set to 'default' and the default set to 'Download Available' or any other status at which Download controller allows download? If you have, set the 'Preparing Order Status' to a status that does not allow download and then see what happens. So far as I can see, on my own site I can have the Paypal 'Acknowledged Order Status' set to allow download and the 'Preparing Order Status' not to allow it, and customers who pay will get the download immediately and customers who don't, won't (even if they try the exploit).

 

Also, you say 'other Paypal modules are also affected'. Paypal Express isn't, I can't see how it could be because choosing that takes you straight off to the Paypal web site to log in and make your payment. You don't get the chance to skip payment and go to checkout_success with that, so far as I can see.

[natashome]

Yes, Natashome, but have you checked your Paypal settings in admin? Have you by any chance got the Paypal 'Preparing Order Status' set to 'Download Available'? Or do you have it set to 'default' and the default set to 'Download Available' or any other status at which Download controller allows download? If you have, set the 'Preparing Order Status' to a status that does not allow download and then see what happens. So far as I can see, on my own site I can have the Paypal 'Acknowledged Order Status' set to allow download and the 'Preparing Order Status' not to allow it, and customers who pay will get the download immediately and customers who don't, won't (even if they try the exploit).

 

Also, you say 'other Paypal modules are also affected'. Paypal Express isn't, I can't see how it could be because choosing that takes you straight off to the Paypal web site to log in and make your payment. You don't get the chance to skip payment and go to checkout_success with that, so far as I can see.

 

lol...both statuses were set to Delivered on the paypal module...it's late here and i just got around 40 modules installed....thanks a lot for this easy solution to my post...

[reciecup]

...sorry to butt in. But I was wondering, I have some products on my site that can be downloaded for free. However I am having a hard time bypassing the credit card and checkout steps. I want my customers to be able to download the free products without having to enter any credit card info. How can I do this ?

[germ]

...sorry to butt in. But I was wondering, I have some products on my site that can be downloaded for free. However I am having a hard time bypassing the credit card and checkout steps. I want my customers to be able to download the free products without having to enter any credit card info. How can I do this ?

One way would be to arrange a link that only logged in customers can see.

 

Something like:

 

<?php
 if ( tep_session_is_registered('customer_id') ) {
?>

******** DOWNLOAD LINK GOES HERE ********

<?php
 }
?>

Although, this doesn't stop anyone from sharing the link with their friends if they wished to do so.

 

There might be a "bullet proof" way to make it so that only registered customers get the download, but there is no way to stop them from sharing what is downloaded (unless it's copy protected in some fashion).

[satish]

If payment status setting for a download link is set to something that is equal to the downlaod status link this can be taken care.

 

Satish

[Ben Nevis]

If payment status setting for a download link is set to something that is equal to the downlaod status link this can be taken care.

 

Satish

Are you addressing the original poster's question (natashome) or reciecup's?

 

In case it was the former, this was already answered. If it was reciecup's, the specific problem he describes here is how to make them available for free without having to go through the checkout process, not 'how to make them available' generally.

 

This could be done as Germ suggests, it might be done other ways too which might or might not involve code modification. The answer really depends on what information reciecup wants to get from the customer, if any, and what oher conditions, if any, should apply, before the download is made available, ie. is it ok to have the downloads freely available all the time to anyone or are they only for registered customers/only through links that are valid for that particular customer/who have purchased or wish to purchase particular other products etc etc?

[satish]

My suggestion is that create a separate page that has download links.

And let only members who are logged in be able to reach that page.

 

Why go for Shopping cart concept when You do not want to charge.

 

Let Me know the objective to suggest a better solution.

 

Satish

[Ben Nevis]

...sorry to butt in. But I was wondering, I have some products on my site that can be downloaded for free. However I am having a hard time bypassing the credit card and checkout steps. I want my customers to be able to download the free products without having to enter any credit card info. How can I do this ?

 

This contribution http://www.oscommerce.com/community/contributions,4136/ might be another way of acheiving what you want. It depends what you do want to really, ie the circumstances under which the downloads should become available, it isn't very clear.

[♥14steve14]

The problems people are having with downloads can be overcome by installing super downloads store and following all the instrucions to install it correctly. It does take time, but it does work in the end. I do believe that there are even modules included to bypass payment and shipping if they are free items.

[Ben Nevis]

The problems people are having with downloads can be overcome by installing super downloads store and following all the instrucions to install it correctly. It does take time, but it does work in the end. I do believe that there are even modules included to bypass payment and shipping if they are free items.

I use Super Download Store and can assure you that it does not solve all issues that can arise in dealing with downloads. It doesn't for example, deal with shipping issues that can arise when customers present mixed physical/virtual carts. While it does skip shipping if the cart contents are all virtual, osc will do this even without SDS. It does not skip the payment modules just because the goods are free. It does not control the checkout process. It is isn't intended to deal with such matters either. SDS is a good module for dealing with downloadable products, but it is not a universal panacea for everything that anyone wants to do with them.

[♥14steve14]

I use Super Download Store and can assure you that it does not solve all issues that can arise in dealing with downloads. It doesn't for example, deal with shipping issues that can arise when customers present mixed physical/virtual carts. While it does skip shipping if the cart contents are all virtual, osc will do this even without SDS. It does not skip the payment modules just because the goods are free. It does not control the checkout process. It is isn't intended to deal with such matters either. SDS is a good module for dealing with downloadable products, but it is not a universal panacea for everything that anyone wants to do with them.

 

I also use the super download store, and yes it does bypass the payment and shipping pages if the items are for free download. It will also allow customers to download together free and paid downloads. I have it set up with paypal as my only payment option. Untill recently i also offered payment by cheques and postal orders but as in 9 months of running the store those options had never been used, so i removed them. If it is setup correctly it will do everything that people want to do with downloads.

[Ben Nevis]

I also use the super download store, and yes it does bypass the payment and shipping pages if the items are for free download. It will also allow customers to download together free and paid downloads. I have it set up with paypal as my only payment option. Untill recently i also offered payment by cheques and postal orders but as in 9 months of running the store those options had never been used, so i removed them. If it is setup correctly it will do everything that people want to do with downloads.

Strange, because I am quite sure I have mine set up correctly and it does not bypass the payment module even if the only item in the basket is free, nor do I recall noticing anything in the code that would make it do that. It certainly does not handle issues about shipping and the possible erroneous application of shipping charges when a customer has both physical and virtual goods in their basket, depending on shipping method used, so it can't be said to do 'everything'.

[♥14steve14]

Ben nevis

Step 5 of the installation of this mod explains that the modification the the checkout_process.php file must also be carried out to the paypal module that you are using. Not part of this module are the free shipping and free payment modules that i have also added. I do believe that these came from the downloads controller module, which is the basis for the super download module.

[Ben Nevis]

Ben nevis

Step 5 of the installation of this mod explains that the modification the the checkout_process.php file must also be carried out to the paypal module that you are using. Not part of this module are the free shipping and free payment modules that i have also added. I do believe that these came from the downloads controller module, which is the basis for the super download module.

Yes, step 5 does say that but there is nothing in that code that looks at what the price is or affects going to paypal for payment to be made, even if the price is zero. Logically the paypal module would have to be visited first before any code change it in could make a difference, which means that first the customer has to choose a payment option. Even there is only one payment method you are still asked to confirm the billing address before confirming the order which then takes you to paypal to make the nil payment.

 

I think you will find the free shipping and free payment modules you have are not a part of downloads controller, if they are they did not find their way into SDS. Even osc's built in download handling skips the shipping page. One of the issues that download controller and SDS addressed was to prevent customers getting free downloads when payment had not been confirmed.

[♥14steve14]

If you check downloads controller you will find that it does include the two free modules. I have just looked and they are there. I take it from what you are saying then is that my store shouldnt work.

[reciecup]

Thanks for the responses. What I am trying to do is offer free product downloads to registered customers only. I would like to skip the whole Credit Card part of checkout or provide a link somewhere to download the product. I really don't want to have to install any contributions since the last time I did that I messed up and had to re-do my entire site. If there is a way to do this without using the cart at all, that would be even better.

 

Thanks

[Ben Nevis]

If you check downloads controller you will find that it does include the two free modules. I have just looked and they are there. I take it from what you are saying then is that my store shouldnt work.

Lol. No, Steve, all I can say is we seem to be seeing different things happening from the same addon. I can't explain it and since we both seem to have stores working to our satisfaction I guess it doesn't really matter.

 

reciecup - in that case Germ's suggestion much earlier on in the thread is probably the best/easiest option for you, but it will mean that non customers could end up with valid download links if they get them from a customer. Since they are free downloads maybe that doesn't matter too much if occasionally someone does?

[Ben Nevis]

Lol. No, Steve, all I can say is we seem to be seeing different things happening from the same addon. I can't explain it and since we both seem to have stores working to our satisfaction I guess it doesn't really matter.

Or on the otherhand maybe we weren't looking at the same addon. Yes, you are right and download controller does have those modules, but they didn't find their way into SDS although it uses download controller, at least not the version that of SDS that I downloaded ie the most recent one...