checkitout
checkitout copied to clipboard
EcomDev
SUPEE-9767?
Are there any plans to include the SUPEE-9767 changes?
Currently formkey validation in e.g. OnepageController::savePayment etc. is missing.
Hi @jthln, thanks for the report! I haven't looked into this just yet, though I shall do so in the coming week or so.
A quick glance at this seems to indicate that this should be compatible with the form key changes -- the method savePaymentAction() does a call to parent::savePaymentAction(), which in turn checks the form key changes.
https://github.com/EcomDev/checkitout/blob/d8f3f56b0d4b4c2572c8ea849505107979486304/src/app/code/community/EcomDev/CheckItOut/controllers/OnepageController.php#L481
Or are you talking about something else?
I guess the various templates need to be updated to include the form key though?
Oh indeed, if they do not include it, then they must. I need to do this in the coming weeks anyway -- So, yes, there are plans to include it, but at this stage I don't have a fixed timeframe.
I've been testing this and no template changes are needed in this extension from what I can see. Since this extension uses the various form templates from the standard onepage checkout, then provided those have been adjusted in the active theme to include the form_key fields then it all works fine.
Note: the Javascript fix in release v1.5.15 is needed to prevent one of the form_key fields from becoming disabled.
I haven't yet determined whether the form_keys are being validated on submission of every step - from a quick look I can see that not all methods call the parent so it is possible there may need to be some minor changes here, but this doesn't prevent checkout from working.