|
By jcosmo - Fri 27 Nov 2015
|
I believe there is a bug in the KartrisClasses.ShippingMethod.GetAll method...
Currently if you have ShippingGateways configured, and a Gateway either errors out or returns no ShippingOption, the GetAll method still returns a ShippingOption with the Gateway name and a Price of $0. This is a potential bug, because if a Gateway fails or returns no options, a customer can exploit this to get free Shipping when that isn't configured in the store.
The problem occurs because of how blnShippingGatewayUsed is set (on line 557 of KartrisClasses.vb). It only gets set if the call is successful and options are returned. On first glance that seems right, but if this isn't set, then Kartris later adds a manual shipping option for the Gateway on line 566.
I believe the fix is to move the setting of blnShippingGatewayUsed from line 557 to line 539.
This way as soon as we detect that the ShippingMethod is a ShippingGateway, we set blnShippingGatewayUsed to true. If the Gateway is off, or if the call to the Gateway fails, or if the Gateway doesn't return any ShippingOptions, then the ShippingMethodDropdownlist is kept clean and free of any errant Shipping Methods.
|
|
By Paul - Fri 1 Jan 2016
|
|
Thanks, have added to the latest code, will be in the v2.9002 release.
|
|