XF 2.2 7 disputes from PayPal, same user signed up 7 times in 2 weeks!

[fionix]

Today I got 7 disputes from one user that has signup with the same user account for an account upgrade (same account upgrade) 7 times.

How is that possible?

Sorry, but shouldn't that be blogged somehow by the Xenforo system, it make no sense that someone signup 7 times in the same months for the same monthly membership.

How can I stop this from happen again, it is total amateur that this is possible at all.

 

[PaulB]

I'm speaking from the perspective of a forum that has a custom billing system, but I would expect a $10 monthly subscription in vanilla XenForo to work as follows:

1. Alice purchases an upgrade on Jan 1. She pays $10.
2. Alice cancels her upgrade on Jan 2.
3. Alice's subscription continues through Jan 31, since she already paid.
4. On Jan 3, Alice decides she wants to continue paying for her subscription, so she re-subscribes. Either:
   • Alice's remaining subscription period is credited toward her renewal. She is charged a pro-rated price today, and she will receive an additional full-price charge on the 3rd of each month. She is charged about $1 immediately (Jan 3) as a pro-rated price. After that, her next charge will be $10 on Feb 3.
   • Or: Nothing changes until Feb 1. She will continue being charged at full price on Feb 1. She is charged nothing immediately. Her next charge will be $10 on Feb 1.

If XenForo doesn't support either of those flows out-of-the-box and is instead only capable of charging the full price each time, failing to credit the user, I would consider that a significant bug. I suspect that would attract the ire of various organizations--or, at minimum, consumers--if it were to come to light. I would even go so far as to label it as a security vulnerability: a malicious actor could use such a broken subscription model to incur significant costs for a forum's operators and likely get them cut off from accepting further subscriptions. The likes of PayPal and Stripe would almost certainly pin the oversight on the merchant.

I suspect some of the programmers in the audience will suggest that this sort of pro-rated system is made difficult by Stripe and PayPal's APIs, and they would be correct, especially given how PayPal's subscription system works. However, it's certainly possible--I've implemented it myself for Stripe, and I've seen other service work around PayPal's limitations.

If and only if the vanilla XenForo behavior isn't what I described in aforementioned flow, then it should be treated as a serious security vulnerability. However, I haven't verified this, and there could be other factors at play.

Are you saying they signed up for multiple simultaneous subscriptions, or that XenForo didn't pro-rate them?

Edit: After some rudimentary testing with XenForo 1.5.x, I wasn't able to reproduce this. At least in that version, XenForo doesn't seem to allow users to re-subscribe until their cancelled subscription has lapsed. Are you certain there aren't any other factors at play here, such as add-ons? Note that I haven't tested this with XenForo 2.x yet. I have some theories as to how this scenario might be possible, but the simplest explanation is that an add-on is interfering in some way, or there's a misconfiguration of some sort. It's also possible the behavior is different in 2.x.

 

[Chris D]

it should be treated as a serious security vulnerability.

It would be treated as a serious security vulnerability if it was a security vulnerability. It isn't.

Although to be clear you've misunderstood how it works, so it isn't a bug at all.

We only respond to these payment statuses from PayPal IPNs:

• Completed
• Refunded
• Reversed
• Canceled_Reversal

If a user cancels their PayPal subscription, we don't take any action. The user upgrade that was purchased continues to be valid until it expires on our side. Until that point, by design, it is not possible to purchase it again.

It is not possible to sign up for multiple simultaneous subscriptions. There may be add-ons that allow this functionality so I'm unsure if that may be a factor.

 

[PaulB]

If a user cancels their PayPal subscription, we don't take any action. The user upgrade that was purchased continues to be valid until it expires on our side. Until that point, by design, it is not possible to purchase it again.

Thanks for confirming. That is indeed the behavior I'm seeing in testing, and I edited my post shortly before you replied. As far as I can tell, the vanilla behavior is fine.

@fionix, you should try reproducing this behavior on your forums in two scenarios:

1. With your forums as they exist currently--no modifications
2. With all add-ons disabled

If you're able to reproduce it in step #1, I would be quite surprised if you can still reproduce it in step #2. If you can't reproduce it in step #1, there may be some sort of bug at play here.

 

[fionix]

I understand, looks like it is impossible to reproduce the problem, fact is, PayPal decided to close the account because of this sh... now we searching for alternatives. It's 10 years of hard work flushed down the toilet in a single hit from PayPal because one stupid user.

I have read similar a million times on various forums, I never believe what I read and always thought the user posting this has made something he don't tell otherwise PayPal would not do it, yesterday I understand it is all try, don't relay your business on PayPal they can destroy your entire business in minutes.

Where this error is I don't know, but once we are integrated with a new processing solution we will avoid recurring transactions, it does not look like things work the way it should, I believe it may be a mix of everything. Fact is, we need to move forward and learn from this crap.

 

[Forsaken]

I understand, looks like it is impossible to reproduce the problem, fact is, PayPal decided to close the account because of this sh... now we searching for alternatives. It's 10 years of hard work flushed down the toilet in a single hit from PayPal because one stupid user.

I have read similar a million times on various forums, I never believe what I read and always thought the user posting this has made something he don't tell otherwise PayPal would not do it, yesterday I understand it is all try, don't relay your business on PayPal they can destroy your entire business in minutes.

Where this error is I don't know, but once we are integrated with a new processing solution we will avoid recurring transactions, it does not look like things work the way it should, I believe it may be a mix of everything. Fact is, we need to move forward and learn from this crap.

Did you contact Paypal? If you are in good standing (outside of these chargebacks) Paypal will usually work with you.

You'll want to give them logs of each account registration, with any data that is the same, and also payment logs from XF with proof that they got what they paid for. If you explain what was done, and how they had to purposely do what they did to try to hurt your standing with Paypal, they are likely to side with you unless you have prior marks against you.

Generally after we get a chargeback, we will refund the person and permanently ban them.

 

[fionix]

As I said, I have read all stories online about all the bad about PayPal and I was in the same boat as you, I thought so many idiots ****ing around with paypal and they don't tell the truth.

Today I know that PayPal is one BIG Rip Off if you are a small player and don't live in the USA. They had to close their branch in Denmark because the laws don't tolerate such behavior and business practice.

I called paypal 4 times to their US phone number which I had to Google to find, every time I got someone on the line that is as helpful as when I go on the toilet and flush the ****. I have asked for explanation, asked to speak with their compliance and told them that this can't be the truth after 10 years with transactions and the same business they just shut it down.

Answer: I'm sorry XXXX that I'm the one that has to bring the bad news, good luck and you can always signup for a personal account.

Yeah right!

They don't responded at all to the tickets.. forget it. PayPal is the worst service ever, again I'm not alone, TrustPilot in Denmark shows only and I repeat ONLY Negative reviews.

As I said, I didn't believe what I read in all this years, but now they killed my business or at least half of it, because we also accept crypto, now I know that hundred of thousands tell the truth but PayPal has just the biggest balls, you can't beat the giant.

Back to the topic!

If you like your Xenforo and you get more then a half hundred daily account upgrades with payment by paypal, then make sure to hire a developer that can help you with fraud protection. Xenforo is not a platform build for commercial use and from the replies here it makes it very clear how this works.

That said, Xenforo is great as a forum platform and it offers everything needed for this and a lot more, but payments and security on long term, it will kill your business.

 

[JamesBrown]

Xenforo is not a platform build for commercial use and from the replies here it makes it very clear how this works.

I have a large subscription based forum. and Ive run it on xF since xF started. So it is possible

However there are dumb shortfalls in the commercal aspects that we need to use addons for.

There are a number of other issues about subs that just have not been thought through. If I find a spare hour I'll post about the subscription shortfalls, there are a few

 

[Robust]

@fionix try Stripe. Better designed APIs, iffy support but if you have a contact for your account they're more helpful.

 

[djbaxter]

Strange. I've been using PayPal for more than 20 years and never had an issue with them. And when Ive had questions for support, they've always been very helpful.

 

[sbj]

I am not on the side of Paypal here. In fact, they are a very greedy company with really bad customer service. I hope one day everyone ditches them. But since that day we all rely on it.

But on the other side, I have no sympathy with commercial forum owners. If you make decent money off of your forum, then you should take care of your business yourself and not put the blame on XF here. Make money AND expect everything from XF? Like put the burden on them while you make the cash? In what world is this okay?

XF doesn't have the team to dedicate their time to just spoil commercial forum owners. Their time is needed somewhere else when imo so many other things can be done. All "small" forums rely on XF because they have no other way. But you commercial owners have money. Don't be that greedy and do something for the community. Pay someone and develope things which you need and then share it here as a paid addon. This not only helps you out but other people, too and the eco-system stays healthy.

Look what happened:




About more than 2 years ago I replied to a thread about payment providers. It was for Xenforo 2.0.

Out of those mentioned 4 options back then, 2 doesn't exist at all anymore.
The other one was last updated 2 years ago (but is listed for 2.1 at least, so should probably work for 2.2).
And the last one is unmaintained and doesn't work for 2.1 or 2.2.

And now since you have the problem with Paypal, you come to that same thread and ask:



And I have no sympathy. You are clearly looking out for your own benefit which is understandable but only come here when you need something and if that something is not there, cry about XF. Again, if you make money, you gotta invest some of it. Now you commercial forum owners have no reliable payment provider addons anymore in the system. That's how bad the eco-system is right now. Your own fault.
(With "you/your" I mean like in general commercial business owners).

 

[Seeker-Smith]

Sorry, but that's a very wrong answer.

Xenforo should have a mechanism that make sure the same user account can't sign up for the same membership several times, means only one time.

There is a solution But it’s not built into XenForo. There is a mod that when set once a user buys that option disappears until the encounter expires or otherwise is no longer funded. This mod also allows for stacked membership example you require payment to use forum the another fee for premium levels. We have 3 levels.

User Upgrade Permissions

This add-on allows you to select user groups which are able to purchase each upgrade. The user must be in at least one of the groups allowed, and must not be a member of the 'not allowed' groups. If they aren't, the upgrade will not be visible to...

xenforo.com

 

[Forsaken]

I am not on the side of Paypal here. In fact, they are a very greedy company with really bad customer service. I hope one day everyone ditches them. But since that day we all rely on it.

But on the other side, I have no sympathy with commercial forum owners. If you make decent money off of your forum, then you should take care of your business yourself and not put the blame on XF here. Make money AND expect everything from XF? Like put the burden on them while you make the cash? In what world is this okay?

XF doesn't have the team to dedicate their time to just spoil commercial forum owners. Their time is needed somewhere else when imo so many other things can be done. All "small" forums rely on XF because they have no other way. But you commercial owners have money. Don't be that greedy and do something for the community. Pay someone and develope things which you need and then share it here as a paid addon. This not only helps you out but other people, too and the eco-system stays healthy.

Look what happened:

View attachment 245735
View attachment 245736

About more than 2 years ago I replied to a thread about payment providers. It was for Xenforo 2.0.

Out of those mentioned 4 options back then, 2 doesn't exist at all anymore.
The other one was last updated 2 years ago (but is listed for 2.1 at least, so should probably work for 2.2).
And the last one is unmaintained and doesn't work for 2.1 or 2.2.

And now since you have the problem with Paypal, you come to that same thread and ask:

View attachment 245737

And I have no sympathy. You are clearly looking out for your own benefit which is understandable but only come here when you need something and if that something is not there, cry about XF. Again, if you make money, you gotta invest some of it. Now you commercial forum owners have no reliable payment provider addons anymore in the system. That's how bad the eco-system is right now. Your own fault.
(With "you/your" I mean like in general commercial business owners).

Without commercial forum owners, there would likely be no quality designer, developers or service providers. Commercial forums spend more money on their forum, which brings more money to third party service providers/resource makers. Even if none of that work done is given back to the community, the money they spend keeps third party service providers afloat and allows them to offer free or paid services.