At 3/22/01 8:05 AM, Winston D. Neutel wrote:
>Right now, if an RSP allows spoofable input at a crucial payment step
>( e.g. <input hidden payment-received="yes"> )
>it's entirely within their own system, and OpenSRS behaves as expected.
>
>If such payment-conditional input is allowed in the registration system,
>you have the question of "as expected by whom?" :-)
>
>Their own fault? Yes, but if there are enough such faults among RSPs,
>still a big problem for OpenSRS.
I think you're misunderstanding what people are asking for.
What's been requested is simply an optional extra flag in the XCP
protocol that overrides the reseller's "process or pend" setting.
By default the flag would not be used at all in the scripts, and would
certainly not be controlled by a hidden field in the HTML templates. It
would therefore not be vulnerable to the problem you describe.
It would be used only by people who modify the scripts themselves. The
difference is that instead of writing hundreds of lines of code to
develop a "pending" system outside of OpenSRS, the developer could add
just one line to the XCP message request to force a single order to pend
instead of process immediately (or vice versa).
As with the original poster, I'm disappointed that this has not yet been
implemented. It would have been trivial to do while other changes were
being made to the same code.
--
Robert L Mathews, Tiger Technologies
