As designed Payment handler & XF::visitor ()

X

Xon

Well-known member
Affected version
2.0.10
This may be 'as designed', but when handling a payment received from a payment provider the XF visitor is still set to a guest when running the user upgrade.

This makes any permission checks based on the ambient visitor likely to not work as expected, especially for 3rd party extensions. Especially as canPurchase is used in the GUI where you expect it to work off the current user.

:edit: In XF\Service\User\Upgrade::upgrade() canPurchase is called. It looks like the stock canPurchase always return true since the user_id == 0, and that will (should?) never have an Active entry.
Code: 
public function canPurchase()
{
   $visitor = \XF::visitor();
   return ($this->can_purchase && !isset($this->Active[$visitor->user_id]));
}
 
Last edited:
So what you're reporting is absolutely as designed -- this code isn't supposed to depend on the visitor.

However, I know why you're reporting it because we had a ticket recently where an upgrade wasn't being processed and we tracked it down to a behavior from your add-on, but one that we determined was really a bug in our code; if we're at this point, we shouldn't be checking canPurchase. That should be restricted earlier in the flow.

So that issue is already fixed for 2.0.11.
 

Similar threads

M
  • Suggestion Suggestion
Lack of interest Allow customisation of payment callback response within payment handler
Replies
2
Views
553
mattrogowski
M
K
Fixed Stripe payment Handler doesn't handle recurring payments correctly
Replies
11
Views
1K
Tom
T
Earl
XF 2.1 How to get guest user IP address? \XF::visitor()->getIp(); isn't working
Replies
3
Views
2K
MIXER
MIXER
Scandal
XF 2.0 Render a bbcode where we need to take into account the \XF::visitor() and issue with watched threads (email)
Replies
5
Views
851
Lukas W.
Lukas W.
digitalpoint
  • Suggestion Suggestion
Implemented Payment Handlers
Replies
3
Views
994
digitalpoint
digitalpoint
Back
Top Bottom