[IMPORTANT] Paypal Bug in OJS 2.2.x

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.
Posts: 409
Joined: Thu Mar 29, 2007 2:09 pm

[IMPORTANT] Paypal Bug in OJS 2.2.x

Postby michael » Mon Feb 08, 2010 4:38 pm

The PKP team has identified a bug in PayPal payment management whereby an unauthorized user can view a listing of past payments and the details of specific payments. This bug only affects OJS 2.2.x.

It is recommended that all users of OJS 2.2.x apply the patch provided here:

If you have access to command-line tools, the patch can be applied by following the directions here:

If you don't have access to command-line tools, you can copy-and-paste the following two lines (marked with a '+') into pages/manager/ManagerPaymentHandler.inc.php (do not include the '+'; it's simply a marker to denote the addition of the line):

Code: Select all

     function viewPayments($args) {
+      parent::validate();
       $rangeInfo = &Handler::getRangeInfo('CompletedPayments');
       $paymentDao = &DAORegistry::getDAO('OJSCompletedPaymentDAO');
       $journal =& Request::getJournal();

Code: Select all

     function viewPayment($args) {
+      parent::validate();
       $paymentDao = &DAORegistry::getDAO('OJSCompletedPaymentDAO');
       $completedPaymentId = $args[0];
       $payment = &$paymentDao->getCompletedPayment($completedPaymentId);

Return to “OJS Technical Support”

Who is online

Users browsing this forum: No registered users and 2 guests