You are viewing the PKP Support Forum | PKP Home Wiki

[IMPORTANT] Paypal Bug in OJS 2.2.x

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

[IMPORTANT] Paypal Bug in OJS 2.2.x

Postby michael » Mon Feb 08, 2010 4:38 pm

The PKP team has identified a bug in PayPal payment management whereby an unauthorized user can view a listing of past payments and the details of specific payments. This bug only affects OJS 2.2.x.

It is recommended that all users of OJS 2.2.x apply the patch provided here:

If you have access to command-line tools, the patch can be applied by following the directions here:

If you don't have access to command-line tools, you can copy-and-paste the following two lines (marked with a '+') into pages/manager/ManagerPaymentHandler.inc.php (do not include the '+'; it's simply a marker to denote the addition of the line):

Code: Select all
     function viewPayments($args) {
+      parent::validate();
       $rangeInfo = &Handler::getRangeInfo('CompletedPayments');
       $paymentDao = &DAORegistry::getDAO('OJSCompletedPaymentDAO');
       $journal =& Request::getJournal();

Code: Select all
     function viewPayment($args) {
+      parent::validate();
       $paymentDao = &DAORegistry::getDAO('OJSCompletedPaymentDAO');
       $completedPaymentId = $args[0];
       $payment = &$paymentDao->getCompletedPayment($completedPaymentId);
Posts: 409
Joined: Thu Mar 29, 2007 2:09 pm

Return to OJS Technical Support

Who is online

Users browsing this forum: Yahoo [Bot] and 2 guests