I'm using Wix as an e-commerce solution and the way I understand it, I can only add code (not edit current code) to make specific changes to the site. The one change I want to make is to have the ability to authorize/capture PayPal payments at a later date for all the products I am selling.
I've read through the PayPal authorization/capture documentation here but am still confused for my specific use case considering the only button I have is a "Check Out with Paypal" once customers have added products to their cart as opposed to "Buy Now" or some of the other button options available.
Is there a way to easily integrate authorize/capture in this case and if so, can someone help me out with how? Hoping I can make one change no matter how many different products a customer is purchasing that allows me to either capture all or part of the entire purchase amount and void the rest.
I've scoured the internet, but don't feel like anything I've come across is directly applicable. See here and here. The latter link makes it look insanely easy, but again I think the problem lies in the fact that I'm using Wix and can't directly edit existing code.
If anyone can provide directions/code necessary to implement this I'd be extremely grateful. Thanks so much in advance!
Note: It appears Wix integrates with PayPal Standard and all I need is the "Basic Authorization" capability, NOT "Order Authorizations."
The latter link makes it look insanely easy, but again I think the problem lies in the fact that I'm using Wix and can't directly edit existing code.
You've nailed it. It would be that easy, just add the parameter paymentaction=authorization when redirecting to PayPal, but Wix needs to provide a way for this to happen.
Many shopping carts -- especially those that integrate via an API rather than Payments Standard -- have a checkbox in their settings to toggle on authorization mode vs. immediate capture (sale) mode. The reason API-based integrations are much more likely to implement such a setting, is that an API is needed for the shopping cart to be able to capture the authorization at a later point in time. API-less integrations (like payments standard) cannot do the capture themselves (because this requires an API call), and so with standard you'll always need to log into www.paypal.com for the capture later on.
Anyway, there's probably no way forward unless Wix provides you with one.
Wix could well be using an API integration rather than the HTML-only Payments Standard, but the problem is the same: the API needs to specify 'authorization' (instead of 'sale'/'capture'), and from their lack of documenting the feature it does not appear Wix has implemented this.
Most shopping cart/platform providers do support authorization and capture, so you could make the feature request to Wix, and/or consider switching providers if it's a must-have.
On a general note, using authorization and capture adds complexity to payment processing, and the capture is not guaranteed to be successful. You can get a successful authorization and then have the payment fail when you try to capture it (happens in a certain % of cases, when funds are no longer available or the card decides to decline). So in general, you use immediate sale/capture at checkout time (not authorization) unless you have very specific and well-defined business needs to not be capturing up front (and refunding in the case of exceptions).
Related
I am writing a REST API. However, one of the requirements is to allow the caller to determine if an action may be performed (so that, for example, a button can be enabled or disabled, etc.)
The action might not be allowed for several reasons - perhaps user permissions, but possibly because, for example, you can't delete a shared object, or you can't create an item with the same name as another item or an array of other business rules.
All the logic to determine if something can be deleted should be determined in the back end, but the front end must show this in the GUI.
I am trying to find the right pattern to use for this in REST, and am coming up a bit short. I could create a parallel API so for every entity endpoint there was an EntityPermissions endpoint, but that seems to be overkill. I could also do something like add an HTTP header that indicates that the request was only to check permisisons, not perform it, but that seems a bit dubious, and likely to mess up the http cache.
Can anyone point me to the common pattern for doing something like this? Does it have a name? Or a web page that discusses it? I'm sure everyone has their own ideas on this (like my dumb ideas) but I this seems to be a common enough requirement that I figure there must be a common pattern for it. But google didn't help much.
There's going to be multiple opinionated answers about this. I'll share mine. Might not be the best for your problem, but it's a valid solutions.
If you followed the real definition of REST, you would be building a hypermedia/HATEOAS-style webservice. Urls would not be hardcoded, they would be discovered and actions would be discovered by the existence of a link.
If an action may not be performed, you can just hide the link. If a user fetches the next resource they just see all the available actions right there.
A popular format for hypermedia API's is HAL. You might decorate the links further with more information from HTTP Link hints.
If this is the first time you heard of hypermedia API's, there might be a bit of a learning curve. The results of learning this can be very beneficial though.
Using a simple tool like FireBug, anyone can change javascript parameters on the client side. If anyone take time and study your application for a while, they can learn how to change JS parameters resulting in hacking your site.
For example, a simple user can delete entities which they see but are not allowed to change. I know a good developer must check everything on server side, but this means more overhead, you must do checks with data from a DB first, in order to validate the request. This takes a lot of time, for every action someone must validate it, and can only do this by fetching the needed data from DB.
What would you do to minimize hacking in that case?
A more simple way to validate is to add another parameter for every javascript function, this parameter must be a signature between previous parameters and a secret key.
How good sounds the solution above to you?
Our team use teamworkpm.net to organize our work. I just discovered that I can edit someone else tasks by changing a javascript function (which initially edit my own tasks).
when every function call to server, in server side before you do the action , you need to check if this user is allowed to do this action.
It is necessary to build server-side permissions mechanism to prevent unwanted actions, you may want to define groups of users, not individual user level, it makes it easier.
Anything on the client side could be spoofed. If you use some type of secret key + parameter signature, your signature algorithm must be sufficiently random/secure that it cannot be reverse engineered.
The overhead created with adding client side complexity is better spent crafting proper server side validations.
What would you do to minimize hacking in that case ?
You can't work around using validation methods on the server side.
A more simple way to validate is to add another parameter for every javascript function, this parameter must be a signature between previous parameters and a secret key.
How good sounds the solution above to you ?
And how do you use the secret key without the client seeing it? As you self mentioned before, the user easily can manipulate your javascript, and also he can read everything in javascript, the secret key, too!
You can't hide anything in JavaScript, the only thing you can do is to obscure things in JavaScript, and hope nobody tries to find out what you try to hide.
This is why you must validate everything on the server. You can never guarantee that the user won't mess about with things on the client.
Everything, even your javascript source code is visible to the client and can be changed by them, theres no way around this.
There's really no way to do this completely client-side. If the person has a valid auth cookie, they can craft any sort of request they want regardless of the code on the page and send it to your server. You can do things with other, encrypted cookies that must sent back with the request and also must match the inputs on the page, but you still need to check this server-side. Server-side security is essential in protecting your application from unauthorized access and you must ensure, server-side, that every action being performed is one that the user is authorized to perform.
You certainly cannot hide anything client side, so there is little point in trying to do so.
If what you are saying is that you are sending something like a user ID and you want to ensure that the returned value has not been illicitly changed then the simplest way of doing so it probably to generate and send a UUID alongside it, and check on return that the value of the uuid matched that stored on the server for the userID before doing any further processing. The space for uuid's is so large that you can discount any false hits ever occurring.
As to actual server side processing vulnerabilities:- you should simply always build in your security/permissions as close to the database as you can, and defiantly not in the client. There's nothing different in the scenario you outline from any normal client-server design.
Peter from Teamworkpm.net here - I'm one of the main developers and was concerned to come across this report about a security problem. I checked into this and I am happy that is not possible to delete a task that you shouldn't have access to.
You get a message saying "You do not have permission to delete this task".
I think it is just the confusion between being a Project Administrator and being an overall Administrator that is the problem here :- You may not be a member of a project but as an overall administrator, you still have permission to delete any task within your Teamwork site. This is by design.
We take security very seriously and it's all implemented server side because as Jens F says, we can't reply on client side security.
If you do come across any issues in TeamworkPM that you would like to discuss, we'd encourage any of you to just hit the feedback link and you'll typically get an answer within a few hours.
To explain my question more i am going to explain what I'm doing.
I am doing my final project at uni and i don't want to be wasting my time so i want to know if this is possible.
I have a digital forensic report that gets filled out by every investigator and it goes to the case officer to review before carrying on with a case. I want to make that easier by creating a html form that can take the investigators notes and put them in the form for them.
Is this possible?
Building such an application is perfectly possible, and without much fuzz, depending on the scope of your target and if you have already built an web application before.
If you just have to upload documents through a web form, and these will be appended to a final document (may be a PDF which will be rendered on the website) such that the case officer will have less work with reviewing as he can just scroll through, this could already do the job.
Since you are not asking about handwriting recognition or OCR, you do not seem to have any specifications on how to do this yet?
Also do you have a legacy system in which you will have to integrate your application? Or is it a greenfield project where you will also build the 'html forms' by yourself?
But you should get your supervisors do their job and get them to define the applications scope for you properly.
Otherwise this might turn into a neverending story via scope creep when you try to recognize all the handwritings on the documents (not just block lettering), have to support a dozen input formats (not just pdf), ...
I'm working on a web application (Java EE backend) which contains a fairly complex input modal. This input modal allows the user to capture data, but it has a bunch of (JavaScript) restrictions, such as mandatory fields, fields only being available if a specific value is entered, etc.
I have to expose this functionality to external systems and allow them to submit this data to my server. These external systems can be both web or client based (but I can assume that the clients will have internet access). My first thought is to provide some kind of definition of the fields and stuff like mandatory to these systems through services, and have them render the input modal however they want. This has been met with resistance though, because the types of fields and restrictions will likely change quite a bit during the next few months of development. These external systems have different deployment timelines, and for this to work we'll have to firstly duplicate all the logic handling these restrictions across all systems, and secondly synchronize our deployments.
An alternative which has been proposed is to have the external systems call my modal through standard HTTP and render it either in an iframe or in an embedded rendered. This solves all of the previous complaints, but it leaves me feeling a little uneasy.
Are there any alternatives we are not thinking of? Maybe some kind of UI schema with existing render libraries for the different platforms? What are your thoughts on the second proposal, any major concerns or is this the "best" solution?
Edit: To clarify, I'll of course still perform backend validation regardless of the frontend decision, as I can't just trust the incoming data.
The constraints that you mention (mandatory fields etc.) really have nothing to do with the user interface. You are also right that it is not a good idea to have your backend render web content.
Your first proposal sounds like a good idea, here's how I would solve the issues you mentioned:
Do all the validation on the backend and send a model object to the client, representing the current state of the UI (field name, type, enabled/disabled, error message etc.).
Keep the client as dumb as possible. It should only be responsible for rendering the model on a window / webpage. Whenever a field is changed and it requires validation, submit the model to the backend for validation and get back a new model to be displayed. (You could optimize this by only returning the fields that changed.)
Doing it this way will keep your validation logic in one place (the backend) and the clients rarely need to be modified.
I have been faced with same issues in several previous projects. Based on this experience I can honestly say that server-side validation is the thing you will likely have to implement to avoid rubbish being committed from client side regardless if it comes from GUI or other third party system via API. You can choose one of available validation frameworks, I used Apache Commons Validator and think it is well, or you can implement your own one. On the other hand client side pre-validation, auto-completion and data look up are the solutions you should have to make human users happy. Do not consider about code duplication, just make your system right way from the business point of view.
We found some code being inserted into emails sent by our proprietary email system and have no idea of its provenance.
My company sends a lot of bulk email for clients. (We follow all the best practice protocols to ensure we're not spammers.) The system is proprietary, based on open source code. Customers have a GUI to enter content, similar to the big guys like MailChimp and the like.
A staff member brought a UI challenge with the GUI to me, using a client's bulk email as an example. I dug into the source to see if they had some exotic CSS that might be affecting my interface, when I noticed the following tag:
<custom name="opencounter" type="tracking"> </custom>
My interface certainly doesn't insert that code into an email.
What is opencounter? Who's technology is it? Does it have a valid reason for being used on our (proprietary) email system?
It appears that "opencounter" is a proprietary counting mechanism used by Exact Target's bulk mailing system. Apparently, the client was copy/pasting from an old campaign done on ExactTarget to move the design to our system. It is therefore safe for me to remove.
My best guess is that it is something that is auto-substituted to put in some tracking information into the individual e-mails. I'd suggest doing some tests on "bulk" e-mails you've set up just to yourself. Put some known content immediately either side of it and then send yourself this e-mail and view the source to see if its been substituted with anything. e.g.
XXX<custom name="opencounter" type="tracking"> </custom>YYY
If the final output has XXXYYY or something then you'll know its a tracker in the bulk e-mailer. If it outputs as is you can probably safely assume you can get rid of it. If it gets rid of it completely then it may be used for some kind of processing on the server but I'm not sure what that might be...
The other thing you can do is to do a search of your entire codebase for "opencounter" to see if there are any references to it.
One final thought: Does your customer interface allow them to put in HTML directly or is it just a gui? It occurs to me that if they used a previous bulk e-mailer then it might be something specific to that one that got copied over if its not in yours.
We had a similar situation and traced it back to a user who was utilizing a third-party WYSIWYG tool to develop code that they then pasted into our CMS. It's a harmless issue, but it points to the need to improve our tool so that others don't feel like they have to use another editor.