[FIX] payment_paypal: receiver email different than business email
Check receiver_email only if receiver_id was not checked. In Paypal, this is possible to configure as receiver_email a different email than the business email (the login email) In Odoo, there is only one field for the Paypal email: the business email. This isn't possible to set a receiver_email different than the business email. Therefore, if you want such a configuration in your Paypal, you are then obliged to fill the Merchant ID in the Paypal payment acquirer in Odoo, so the check is performed on this variable instead of the receiver_email. At least one of the two checks must be done, to avoid fraudsters. opw-648776
This commit is contained in:
parent
4626240d5d
commit
097fbd3941
|
@ -227,10 +227,17 @@ class TxPaypal(osv.Model):
|
||||||
if tx.partner_reference and data.get('payer_id') != tx.partner_reference:
|
if tx.partner_reference and data.get('payer_id') != tx.partner_reference:
|
||||||
invalid_parameters.append(('payer_id', data.get('payer_id'), tx.partner_reference))
|
invalid_parameters.append(('payer_id', data.get('payer_id'), tx.partner_reference))
|
||||||
# check seller
|
# check seller
|
||||||
if data.get('receiver_email') != tx.acquirer_id.paypal_email_account:
|
|
||||||
invalid_parameters.append(('receiver_email', data.get('receiver_email'), tx.acquirer_id.paypal_email_account))
|
|
||||||
if data.get('receiver_id') and tx.acquirer_id.paypal_seller_account and data['receiver_id'] != tx.acquirer_id.paypal_seller_account:
|
if data.get('receiver_id') and tx.acquirer_id.paypal_seller_account and data['receiver_id'] != tx.acquirer_id.paypal_seller_account:
|
||||||
invalid_parameters.append(('receiver_id', data.get('receiver_id'), tx.acquirer_id.paypal_seller_account))
|
invalid_parameters.append(('receiver_id', data.get('receiver_id'), tx.acquirer_id.paypal_seller_account))
|
||||||
|
if not data.get('receiver_id') or not tx.acquirer_id.paypal_seller_account:
|
||||||
|
# Check receiver_email only if receiver_id was not checked.
|
||||||
|
# In Paypal, this is possible to configure as receiver_email a different email than the business email (the login email)
|
||||||
|
# In Odoo, there is only one field for the Paypal email: the business email. This isn't possible to set a receiver_email
|
||||||
|
# different than the business email. Therefore, if you want such a configuration in your Paypal, you are then obliged to fill
|
||||||
|
# the Merchant ID in the Paypal payment acquirer in Odoo, so the check is performed on this variable instead of the receiver_email.
|
||||||
|
# At least one of the two checks must be done, to avoid fraudsters.
|
||||||
|
if data.get('receiver_email') != tx.acquirer_id.paypal_email_account:
|
||||||
|
invalid_parameters.append(('receiver_email', data.get('receiver_email'), tx.acquirer_id.paypal_email_account))
|
||||||
|
|
||||||
return invalid_parameters
|
return invalid_parameters
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue