Magento 2.x Feature Requests and Improvements

we made styling of the Magento luma theme, not all Magento frontend functions we used. Could you provide me the all the frontend pages that in fresh Magento luma theme(better the url list), we need to compare with function lists. ... View more

Hi Team  We would request to Please update all three-parameter as per your suggestion and set the maximum limit for them. process_control_timeout pm.process_idle_timeout request_terminate_timeout Thank you. ... View more

Version: Magento 2.4.2 Payments: Opayo PI integration   Issue: Orders with a failed payment create "Pending Payment" state order and subsequently empty customer cart and don't allow for a payment re-attempt.   This occurs for any payment/card failure (wrong digit, failed 3d secure, wrong CVC) These are very common user errors for ecommerce. This creates negative user experience as the customer then has to re-shop for their cart content and re-checkout.    This is because: 1. Magento default is for orders to be placed into order state "Pending Payment" as the checkout page is redirected for payment validation from bank/provider (3d Secure). This 'creates' the order whilst payment is sent for approved/refused. As 3d secure is worldwide mandatory in 2022 this will impact all store checkouts.   2. If this fails due to incorrect card details or fail of 3d secure, the order remains Pending Payment and the customer has their basket subsequently cleared   Suggestion: Orders should not be created until payment is authorised from provider. If refused, return to checkout page. If authorised, proceed to order creation upon success. Allow for cart data to be retained and re-provided if payment is failed, not to create Pending Payment order.   This causes many issues for sellers and is a huge cause of abandoned carts and negative feedback. This should be native behaviour for Magento to provide customers another attempt to pay rather than removing the cart and placing useless Payment Pending order. ... View more

Hello!   I'm deploying Magento for the first time.  Version CE 2.3.7 from package.  Added a bunch of plugins, most of which has been OK.  Just doing final integration testing now.   We use Gluu for Customer Identity Management.   Integrating Gluu with Magento has been a drama.  The Gluu code provided is all for Magento1.  We have it working now with help from a magento marketplace plugin.  But this doesn't really seem the sort of job a plugin is designed for (compared to other plugins I've installed).   I can't help think this feature would be better embedded in the core code.   Any chance customer identity outsourcing via OAuth 2 / OpenID Connect is a feature planned for a future release?  Either with or without SCIM support for replicating/editing customer profile data.   I've written my own integrations for our in-house applications, so I have: 1) test environments 2) a good knowledge of the transactions/protocols involved 3) lots of customer data 4) experience with working with open source development   What I don't have is: 1) php experience (I have some) 2) experience with Magento 2 source code   If someone is working on OAuth / OpenID authentication for customer identity management in Magento 2 - please reach out.    If you know that adding this to the core Magento2 code is a bad idea, please let me know why.   If you think adding this to the core Magento2 code is a good idea, please encourage me.   If there is a good place to start (adding this to the core code).   If I wanted to work on this, should I fork the 2.4-develop or 2.5-develop branch as the starting point? (I know the contributions guide says 2.4, but I'm wondering why there is a 2.5, and since this is probably not a minor change, or quick change, if targeting 2.5 is more sensible).  I can't find any mention of a planned release timeline for 2.5...   TIA! ... View more

Add CLI command to create new module folder under app/code directory with registration.php and etc/module.xml files. Something like bin/magento module:create Vendor_ModuleName   ... View more

Hi,   We need a way to manage users who have access to export data.   For operational reason we may need to give users access to «Customers» and «Sales» sections but we also need a way to stop them from exporting this data for obvious security reason.   I understand user will still have access to the information in the section but exporting is a whole other level of data protection sensibility.   I think it is relly weird that a solution like Magento with a PCI ompliant status does not offer that. Customer data is a very important thing and we need to be able to protect it.   Thank you to consider this request.   Alexis Charlebois ... View more

A mode of operation of a block cipher is an algorithm that describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Some of the modes of operation include Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB). ECB mode is inherently weak, as it results in the same ciphertext for identical blocks of plaintext. CBC mode is the superior choice as it does not have this weakness.Messaege encrypted with weak cryptography algorithm can be decrypted via brute-force attacks. 1. Use a strong mode of operation like CBC instead of ECB. 2. Use any authenticated encryption mode, such as GCM, EAX or OCB. For more information refer: https://www.owasp.org/index.php/Testing_for_Weak_Encryption_(OTG-CRYPST-004) Ex :   $mode = MCRYPT_MODE_ECB   $mode = MCRYPT_MODE_ECB, $initVector = false ) { if (true === $initVector) { // @codingStandardsIgnoreStart $handle = @mcrypt_module_open($cipher, '', $mode, ''); } traced in vendor\magento\framework\Encryption\Crypt.php Line: 57 and few other vendor files. CWE Code : CWE-327   ... View more

The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. 1. java.security.SecureRandom should be used instead of java.util.Random 2.Use Cryptographically secure generators that are strongly believed to be very difficult to predict. ex : var rand10 = Math.random().toString().substr(2, 10);   this.boundary = '------RWWorkerFormDataBoundary' + Math.random().toString(36); Math.random() code traced in \lib\web\FormData.js (Line:46) and few other vendor files.   CWE Code : CWE-676 ... View more

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.Attacker may be able to break the algorithm and compromise whatever data has been protected that may result in the exposure of sensitive information. 1.Do not develop custom or private cryptographic algorithms. 2.Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. For more information refer: http://wiki.scap.org.cn/cwe/en/definition/327 ex : $sha1Sum = sha1($contents);   $cacheKey = sha1($routePath . $this->serializer->serialize($cachedParams)); if (!isset($this->cacheUrl[$cacheKey])) { $this->cacheUrl[$cacheKey] = $this->getUrlModifier()->execute( $this->createUrl($routePath, $routeParams) ); } in vendor\magento\framework\Url.php (Line:870) file, SHA1 used. We can use the modern crypto algorithm. CWE Code : CWE-327 ... View more

Password or key management issues occur when a password or key is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password or key management problem by obscuring the password or key with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password or key. Attacker can easily gain access to the system by breaking encryption.   Example : $user_pass = base64_encode($auth_username . ":" . $auth_password);   $user_pass = base64_encode traced in vendor\magento\framework\HTTP\Client\Curl.php (Line Number-173) and few other vendor files.   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); } and in the file path : vendor\magento\framework\HTTP\Client\Socket.php (Line : 179)   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); }   CWE Code : CWE-261 ... View more

On our shop we sell clothing. When products are sold out we want to show them as "back soon" on the POP. People can use the "product alert" to subscribe for a back in stock notification. Idea: For our product (clothing) we use the attribute "Size" e.g.: XS, S, M, L. We want customers to be able to filter on these sizes when browsing our catalogue. However, when filtering on a Size, Magento shows all products for which this attribute is applicable. Regardless whether on stock or not. Therefore it can be the case that when using this filter as a customer, you click on the results and on the PDP of this product you see this size is actually not on stock. As a merchant I would like Magento to provide filter results considering the actual stock level and only show results of products who have positive stock for this attribute.  I know that a solution can be to hide products from the POP when they are out of stock, but then we cannot use the "re-stock alert" function. Thanks! ... View more

Google recommends to use "www.recaptcha.net" in your code in circumstances when "www.google.com" is not accessible. https://developers.google.com/recaptcha/docs/faq   https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally   Can I use reCAPTCHA globally? Yes, please use "www.recaptcha.net" in your code in circumstances when "www.google.com" is not accessible.   Other platforms and their modules provide a toggle or configuration option to replace the recaptcha URL to www.recaptcha.net in countries where google may not be accessible (such as China)   https://www.drupal.org/project/recaptcha/issues/2993365   https://wordpress.org/support/topic/add-option-to-load-resources-from/         ... View more

Migrated from M1.9 to M2, but just too much server power required and server config knowledge and interaction. Had to switch to OpenCart, a huge mistake, but very little choice in the market place when using multilingual sites with excellent SEO capabilities.   I would love to see a Magento 2 LITE version available.   I hope to back and using Magento one day :( ... View more

Heres an idea. Make it user friendly, you know like WIX ! At the moment you need the IQ and programming ability of Sheldon Cooper just to upload images ! I have to have this ECommerce platform, its the only one that will integrate with my EPOS system. With my basic skills I cannot do it ! Frustrated isn't the word !   ... View more

There doesn't appear to be a way to schedule a banner within a slider.  Let's say I want to show a holiday banner as part of a slider series but have it run specific dates like a weekend.     Current workaround seems to be to create a new duplicate slider just for that.  The sliders have date control, but that doesn't seem optimal since I'd actually need 3 duplicate sliders to do before, during, then after.    If each banner could have run dates, that seems like it'd be much easier and better.  At the banner level, not the slider level.   ... View more

Not entirely sure why this had not been posted before.   We finally launched Magento upgrade to 2.3.3 from 2.1.8 last week, which was successful, but we quickly discovered that there was a feature we never encountered during testing which we don’t have an easy way to get rid of - “B2B Emails”. These seem to fire randomly every time either company or company user is updated in synchronization, or really even updated for any reason in user interface.   There doesn’t appear to be any way to turn it off either.    For every marketing feature of Magento that involves an email going out, especially to a customer, there HAS to be a way to turn it off without overriding product code.   In fact, there should be a unified admin module that tracks all outbound communication types currently active in one place, and allows them to be activated/deactivated individually.    Not being able to turn off annoying emails that seem to fire randomly and frequently immediately forces customers to flag us as spammers, which degrades our ability to communicate with customers on valid and production necessary items - password resets, order confirmations, true marketing specials etc. ... View more

We are using tier pricing to accurately present a price for a product.  The situation is that if we have an item where we are selling e.g. 500 @ £23.68 - the individual cost per item is £0.04736  Magento only appears to calculate 2 decimal places making the item £0.048 This would make our item £24.00  In this case, as with all others, the price is wrong! ... View more

I think forcing users to write reviews is not best practice.  You should look up to Google maps for example, and allow merchants to accept review without making mandatory review.    I believe this would increase number of reviews significantly and eventually boost sales.  ... View more

Hello, I am running a server with plesk installed with the latest version 17.8.11 . The magento package for plesk is version 2.1.0, I would like to install the latest version 2.3.1 but the plesk support said that this version is not supported. When the aps package will be upgraded with the latest magento version?   Thanks for your answer.   ... View more