Magento 2.x Feature Requests and Improvements

Hi,   Recently I upgraded my site to 2.4.2, and found out for the in-store delivery option, stores have to be source with sufficient saleable quantity in order for customers to select them in the checkout shipping step. I think it would be nice to have an option to set up stores for pick up regardless of the quantity, so the user can select the location for pick up as long as there is positive aggregated stock from all the sources, and us merchant can ship the order to that location from other sources. Thank you ... View more

A mode of operation of a block cipher is an algorithm that describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Some of the modes of operation include Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB). ECB mode is inherently weak, as it results in the same ciphertext for identical blocks of plaintext. CBC mode is the superior choice as it does not have this weakness.Messaege encrypted with weak cryptography algorithm can be decrypted via brute-force attacks. 1. Use a strong mode of operation like CBC instead of ECB. 2. Use any authenticated encryption mode, such as GCM, EAX or OCB. For more information refer: https://www.owasp.org/index.php/Testing_for_Weak_Encryption_(OTG-CRYPST-004) Ex :   $mode = MCRYPT_MODE_ECB   $mode = MCRYPT_MODE_ECB, $initVector = false ) { if (true === $initVector) { // @codingStandardsIgnoreStart $handle = @mcrypt_module_open($cipher, '', $mode, ''); } traced in vendor\magento\framework\Encryption\Crypt.php Line: 57 and few other vendor files. CWE Code : CWE-327   ... View more

The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. 1. java.security.SecureRandom should be used instead of java.util.Random 2.Use Cryptographically secure generators that are strongly believed to be very difficult to predict. ex : var rand10 = Math.random().toString().substr(2, 10);   this.boundary = '------RWWorkerFormDataBoundary' + Math.random().toString(36); Math.random() code traced in \lib\web\FormData.js (Line:46) and few other vendor files.   CWE Code : CWE-676 ... View more

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.Attacker may be able to break the algorithm and compromise whatever data has been protected that may result in the exposure of sensitive information. 1.Do not develop custom or private cryptographic algorithms. 2.Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. For more information refer: http://wiki.scap.org.cn/cwe/en/definition/327 ex : $sha1Sum = sha1($contents);   $cacheKey = sha1($routePath . $this->serializer->serialize($cachedParams)); if (!isset($this->cacheUrl[$cacheKey])) { $this->cacheUrl[$cacheKey] = $this->getUrlModifier()->execute( $this->createUrl($routePath, $routeParams) ); } in vendor\magento\framework\Url.php (Line:870) file, SHA1 used. We can use the modern crypto algorithm. CWE Code : CWE-327 ... View more

Password or key management issues occur when a password or key is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password or key management problem by obscuring the password or key with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password or key. Attacker can easily gain access to the system by breaking encryption.   Example : $user_pass = base64_encode($auth_username . ":" . $auth_password);   $user_pass = base64_encode traced in vendor\magento\framework\HTTP\Client\Curl.php (Line Number-173) and few other vendor files.   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); } and in the file path : vendor\magento\framework\HTTP\Client\Socket.php (Line : 179)   public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); }   CWE Code : CWE-261 ... View more

This is more of a general request to install the Magerun command (https://github.com/netz98/n98-magerun2) on every cloud install. Even though the bin/magento has opened a new "life" of CLI tooling, Magerun offers more and better commands for everyday debugging and QOL for developers. I strongly urge Adobe to consider this going forward. ... View more

We used Magento Queue support extensively in our project, we even created a connector to use Amazon SQS instead of RabbitMQ (I intend to share it with the community soon).   During a process of improving the performance of our consumer jobs, I found that the native  message queue module uses MySQL to manage the lock of messages, which ends up competing with the IO of the other calls to the database. As we have a very high volume of messages processed per minute (+ 15k messages), the database ends up being unnecessarily overloaded with this native lock approach.   As Magento already provides native support for using ZooKeeper to control the locking of cronjobs processes, it would be very interesting if this feature were also made available to Message Queue, reducing the unnecessary usage of MySQL database.   ... View more

Current Behaviour Enabling "Automatic Group Change" feature will change the Customer Group based on the user's selection for the current order and future orders.   Problem Underneath the surface the Shared Catalog (B2B) functionality uses customer groups. When a shared catalog is configured for a company, Magento will assign a customer group (associated with that shared catalog) to the company user.   Because of this, (permanently) changing the customer group using "Automatic Group Change" will in-directly affect the shared catalog which is assigned to a company user, thus breaking the Shared Catalog (B2B) when "Automatic Group Change" is enabled.   Desired Behaviour "Automatic Group Change" actually emulates the customer group whilst in the order process rather than permanently changing the customer group.   ... View more

In Magento 2.X, admins must include the exact category path in an import file when assigning categories to products. This should be specified by category ID instead.   Specifying by category path is tedious, and can create duplicated categories if there are any typographical errors, which is asinine. Category IDs are simple, accurate, and how every other ecommerce platform out there accomplishes this. ... View more

Product item display: I would like the option to have the Magento 2 store show the current salable quantity in stock for a selected product, including changing that display when the customer chooses a variant of a configurable product.   So instead of showing "In Stock" or "Out of Stock", it will show "<count> In Stock" or "Out of Stock".   ... View more

Magento's current behavior when creating partial invoices, is to bill the entire shipping amount of the order on the first invoice, regardless of how many items have been invoiced.   This is problematic when products ship at different times, which can happen frequently if a store drop ships often. Here is an egregious example:   A customer purchases two products, a Widget that has Free Shipping, and a Gadget that costs $100 to ship. 2. The Widget ships first, so we must invoice the Widget. 3. When we go to invoice the Widget, we do not want to invoice any shipping, because it was eligible for Free Shipping. However, Magento does not allow us to specify how much of the shipping should be included on the invoice, so the invoice includes the shipping amount for the entire order. 4. When the Gadget ships, we go to invoice it. There is no shipping charged on that invoice, because it was all charged on the first invoice for the Widget. 5. Customer and Accounting frustration ensues.   The ability to specify a partial shipping amount on an invoice, up to the total amount charged at the time of order, would solve this issue. ... View more

Since the Layout Update XML field was changed to a selector in version 2.3.4, it is now required to create a layout file, named specifically for use on a particular Category, CMS, or Product record, and stored on the hosting server. This is a clunky and un-intuitive solution for a few reasons:   1. It requires granting file system access to users who previously only needed admin panel access. 2. It requires creating a file with layout instructions for each individual record. If a common layout instruction is shared between records, this means potentially hundreds of redundant files.   Please consider adding the ability to share Layout Update files between multiple records. That way, only one file is needed if the same layout instructions are applied to multiple categories, and admin panel users could apply those updates to new categories without needing file system access. ... View more

The ability to specify a Product Attribute Value position by integer was present in Magento 1.x but removed from Magento 2.   Currently, if you want to re-order product attribute values, you need to drag and drop the value. If you're creating a new attribute value on an attribute that already contains dozens or hundreds of values, this means creating the new value at the very bottom of the list, and having to drag and drop it through all of the records above. ... View more

Currently, any time you add a Customer Group to Magento, you have to manually go through any record that uses the 'Customer Groups' selector and select the newly created Customer Group. This includes Catalog Price Rules, Cart Price Rules, and many 3rd party extensions. On large stores with many Customer Groups and Price Rules, this is very time consuming.   Please add an 'All Customer Groups' selector, so users do not have to manually go through records to tag new Customer Groups. ... View more

We don't have a feature to apply coupon code when we proceed checkout with Multi Shipping Address. If customer forgot to apply coupon code on shopping cart page, he/she doesn't have provision to apply coupon code on multi shipping address checkout. So, its better to have this feature on multi shipping checkout. ... View more

Magento 2 provides the ability to import some things, such as products, via csv, but lacks the ability to create attributes and values this way.  This functionality is needed, and should be part of the core.   When there are products with many variations, such as an item with many color choices, Magento should provide the ability to create the attribute and its options via csv an create the swatch file if a path to the swatch color files is included.   ... View more

Issue: No line item shipping is calculated / stored for products in an order making export to third party ERP / OMS solutions difficult.     Solution: When shipping is calculated, store the amount per line item in the sales_order_item table so it can exported cleanly. ... View more

Issue: When applying a gift certificate to an order, Magento doesn't currently see that as a payment on the order.  It's applied as more of a discount as far as order totals are concerned.  Since most OMS / ERP applications look at gift certificates as a payment instrument this can cause unneeded customization.  See the attached screenshot for more information.   Solution: Apply the gift certificate as a payment instrument and list it as a part of the Total Paid on an order.   Example  ... View more

The current buy one get one cart price rule does not allow for multiple skus, which seems very silly. If have you have a config sku with several simple skus that only vary by size, why would a customer want 2 of the same sizes? This was not the case on magento 1 open source.  ... View more