As designed Payment handler & XF::visitor ()

Xon

Well-known member
Affected version
2.0.10
This may be 'as designed', but when handling a payment received from a payment provider the XF visitor is still set to a guest when running the user upgrade.

This makes any permission checks based on the ambient visitor likely to not work as expected, especially for 3rd party extensions. Especially as canPurchase is used in the GUI where you expect it to work off the current user.

:edit: In XF\Service\User\Upgrade::upgrade() canPurchase is called. It looks like the stock canPurchase always return true since the user_id == 0, and that will (should?) never have an Active entry.
Code:
public function canPurchase()
{
   $visitor = \XF::visitor();
   return ($this->can_purchase && !isset($this->Active[$visitor->user_id]));
}
 
Last edited:
So what you're reporting is absolutely as designed -- this code isn't supposed to depend on the visitor.

However, I know why you're reporting it because we had a ticket recently where an upgrade wasn't being processed and we tracked it down to a behavior from your add-on, but one that we determined was really a bug in our code; if we're at this point, we shouldn't be checking canPurchase. That should be restricted earlier in the flow.

So that issue is already fixed for 2.0.11.
 
Back
Top Bottom