You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "success" method is called as a callback when the payment at paypal is finished. But there is no guarantee that the payment has been really done. An user could call himself to the success url, and the controller will mark the payment as COMPLETE.
I think that is a high security risk. The only one that should mark a payment as complete is the IPN notification, once it has verified the notification with paypal.
I will submit later a pull request fixing this
The text was updated successfully, but these errors were encountered:
The "success" method is called as a callback when the payment at paypal is finished. But there is no guarantee that the payment has been really done. An user could call himself to the success url, and the controller will mark the payment as COMPLETE.
I think that is a high security risk. The only one that should mark a payment as complete is the IPN notification, once it has verified the notification with paypal.
I will submit later a pull request fixing this
The text was updated successfully, but these errors were encountered: