Magento 2.x Feature Requests and Improvements

Command injection vulnerabilities take two forms: - An attacker can change the command that the program executes: the attacker explicitly controls what the command is. - An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. In this case we are primarily concerned with the second scenario, the possibility that an attacker may be able to change the meaning of the command by changing an environment variable or by putting a malicious executable early in the search path. 1.Applications should avoid incorporating user-controllable data into operating system commands. 2.Use library calls rather than external processes to recreate the desired functionality. 3.Ensure that all external commands called from the program are statically created For more information refer : https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)   ex : $output = shell_exec($cmd); shell_exec() function used in multiple places. Example code path : vendor/laminas/laminas-console/src/Adapter/Virtual.php (Line: 171) protected function switchToUtf8() { shell_exec('mode con cp select=65001'); } and few other vendor files.   CWE Code : CWE-77 ... View more

All auto-generated factory classes, should implement common interface.  All factories, have to have public function create(array $data = array()) method anyway. So why they do not implement some common FactoryInterface interface?   ... View more

The idea is to have an option how customers are adressed. For example personal like "Hello Ben" or formal like " Dear Mr. Marks". These could be on webshop welcome message and also in transactional mails. ... View more

For a configurable product that has tier prices can the unit price on the product page update to the correct tier price based on the quantity that the user enters. e.g. Buy 100 for £1.55 Buy 200 for £1.04 each and save 33% Buy 300 for £0.78 each and save 50% Buy 400 for £0.70 each and save 56% Buy 500 for £0.62 each and save 60% If the user enters 100, the unit price displays as £1.55 correctly. However if the user enters 200, the unit price remains £1.55 whereas it should display £1.04. It does not display the correct tier price until you add the item to the cart. ... View more

Feature request from bondimedical3, posted on GitHub Jan 04, 2017 Google is making a big push with AMP pages in mobile search results. I am seeing more and more AMP results in SERPS and I believe if Magento would like to keep a competitive edge in the market it will need to begin to look at adding this feature to Magento 2. Google SERPs are constantly changing with new features and they have even added an AMP carousel in mobile results where if there are more than 3 AMP results on the first page a carousel appears on the top where people can scroll through. In the future this will become a necessity for all e-commerce platforms. https://www.ampproject.org ... View more

Per Google's documentation: "reCAPTCHA v3 introduces a new concept: actions. When you specify an action name in each place you execute reCAPTCHA, you enable the following new features: A detailed break-down of data for your top ten actions in the admin console Adaptive risk analysis based on the context of the action, because abusive behavior can vary. Importantly, when you verify the reCAPTCHA response, you should verify that the action name is the name you expect." From: https://developers.google.com/recaptcha/docs/v3#actions   Associating an action name with each reCAPTCHA implementation location will allow us to have a more granular view of where bots are interacting with our forms/actions and react based on what we see in the reporting. Additionally, Google indicates that reCAPTCHA v3 will perform better with actions specified. ... View more

Currently it is not possible to have an admin menu link with more than 3 arguments:   menu.xml: ... <add id="Module::module_name-id" action="module/controller/action/paramFoo/valueBar" .../>   is menu item link is truncated to: 'module/controller/action/' and ignores the 'paramFoo/valueBar' addition.    I'd suggest adding another property to the <add tag, something like:   actionParams="paramFoo=valueBar&paramLorem=valueIpsum" which would then be added to the $params array in the Magento\Backend\Model\Menu\Item::getUrl() method. ... View more

Hi Team,   We are showing out of stock products,  and in the case of configurable products price is not displayed if all children are out of stock even if Display Out of Stock Products is set to "yes".    Can we have an option to display price for these type of products?   Thanks SJ ... View more

Make possible to enable and disable Dynamic price in boundle product even after the first save. ... View more

Hi,   We have found that the only way to changes image dimensions for resize is in code and would love it if this was something configurable from the admin panel. Is this something that is already in the process of being implemented or could it be implemented soon?   We look forward to hearing from you!   Thanks! ... View more

Given to the documentation it's possible to change the image properties in view.xml. But sadly the quality of the image isn't reflected.   So it's only possible to change the values for the properties: width height constrain aspect_ratio frame transparency background (doesn't work btw.) The quality property is missing.   Please add the possibility to change the image quality property.     ... View more

Feature request from mttjohnson, posted on GitHub Nov 06, 2015 Working from the Magento 2.0.0-RC I ran into a scenario where an setup install script failed halfway through installing some data and I found that it inserted and modified the database to the point it hit an exception. I haven't noticed much use of database transactions inside the install scripts, but I found that it doesn't take much to add them to the start and end of the install() method. I found an example of using database transactions in \Magento\Checkout\Setup\InstallData and I went ahead and tested wrapping the contents of my install script. It seems like wrapping database install scripts inside a database transaction should be a recommended practice so that we can avoid half installed modules that can be very difficult to troubleshoot afterwards. public function install(ModuleDataSetupInterface $setup, ModuleContextInterface $context) { $connection = $setup->getConnection(); try { $connection->beginTransaction(); // Do a bunch of stuff here that may change things in the database and // you want to retain the option to rollback the changes if an error occurs // If no errors occur commit all the database changes $connection->commit(); } catch (\Exception $e) { // If an error occured rollback the database changes as if they never happened $connection->rollback(); throw $e; } } I have run into several situations trying to clean up magento sites that had things half installed and contained additional or missing changes to the database. Having gone through the mess of cleaning up partial upgrades leads me to believe there is room for improvement around the setup scripts. When would it be an ok idea to partially install data in the database? ... View more

Feature request from hostep, posted on GitHub Aug 24, 2016 Preconditions Magento CE 2.1.0 A whole afternoon of debugging joy (oh no, I already did this for you, don't worry) Steps to reproduce Take a look at how the billing address fields are composed: https://github.com/magento/magento2/blob/c5d618d5439362f50ba0f21d3fadf418cc765190/app/code/Magento/Checkout/Block/Checkout/LayoutProcessor.php#L201-L246 Compare this to the shipping address fields: https://github.com/magento/magento2/blob/c5d618d5439362f50ba0f21d3fadf418cc765190/app/code/Magento/Checkout/Block/Checkout/LayoutProcessor.php#L165 Expected result I expected to be able to change the sort order of the billing address fields in the checkout using xml or some other "convenient" way, but found this is almost impossible without manually altering the sort_order field in the customer_eav_attribute table. Actual result Not able to sort the billing address fields in a convenient and easy way. Discussion To be able to sort the shipping address fields in the checkout, we can create a file checkout_index_index.xml with something like this: <?xml version="1.0"?> <page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" layout="checkout" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd"> <body> <referenceBlock name="checkout.root"> <arguments> <argument name="jsLayout" xsi:type="array"> <item name="components" xsi:type="array"> <item name="checkout" xsi:type="array"> <item name="children" xsi:type="array"> <item name="steps" xsi:type="array"> <item name="children" xsi:type="array"> <item name="shipping-step" xsi:type="array"> <item name="children" xsi:type="array"> <item name="shippingAddress" xsi:type="array"> <item name="children" xsi:type="array"> <item name="shipping-address-fieldset" xsi:type="array"> <item name="children" xsi:type="array"> <item name="region_id" xsi:type="array"> <item name="sortOrder" xsi:type="string">87</item> </item> <item name="postcode" xsi:type="array"> <item name="sortOrder" xsi:type="string">80</item> </item> <item name="company" xsi:type="array"> <item name="sortOrder" xsi:type="string">45</item> </item> <item name="vat_id" xsi:type="array"> <item name="sortOrder" xsi:type="string">46</item> </item> <item name="country_id" xsi:type="array"> <item name="sortOrder" xsi:type="string">85</item> </item> <item name="telephone" xsi:type="array"> <item name="sortOrder" xsi:type="string">90</item> </item> </item> </item> </item> </item> </item> </item> </item> </item> </item> </item> </item> </argument> </arguments> </referenceBlock> </body> </page> I was hoping there was a similar way for the billing address fields, but came to the conclusion after viewing https://github.com/magento/magento2/blob/c5d618d5439362f50ba0f21d3fadf418cc765190/app/code/Magento/Checkout/Block/Checkout/LayoutProcessor.php#L201-L246 this is not possible due to those hardcoded values. Or am I missing something obvious here? ... View more

Feature request from mage2pro, posted on GitHub Nov 26, 2015 It is a long-term issue from Magento 1.x, and still is in Magento 2. Looks an example here: https://github.com/magento/magento2/issues/2505#issuecomment-159754199 As you can see, the left half of screen contains the same file path in each line, and the right half chops significant parts of the messages. I propose: Show the full strings in a error report's stack trace Additional improvement: skip the filesystem path to the Magento root in the stack traces because it is the same for each trace line. It would better to show it once above the stack trace. ... View more

In the Netherlands you write a VAT number like this: NLxxxxxxxxxB01. Magento only allows a VAT code without the country code. ... View more

Feature request from mage2pro, posted on GitHub Nov 13, 2015 https://mage2.pro/t/200 For example, if there are mutiple observers for the catalog_block_product_status_display event then the Magento 2 behavior becomes unpredictable because we can not set the observer's ordering. ... View more

Feature request from chasteIT, posted on GitHub Sep 03, 2015 In Magento2, can we please get the ability to set default configurations of Configurable Products? @tzyganu's Easylife Switcher that sets default configurations, keeps the selected options when other above them change. It also changes the product image or media block when options are changed -- among other cool stuff. Also, Inchoo did a tutorial on autoselecting configurable product options, and Iceberg Commerce provided a Javascript method. Lastly, pre-selecting default simple products would affect the Simple Configurable Products #335 undertaking. Edit: This could be used in conjunction with layered navigation. See issue: Layered Navigation Filters Pre-Select Configurable Product Options #1784 ... View more

Feature request from royduin, posted on GitHub Oct 06, 2015 It would be nice if there where options in the backend to exclude pages, products or categories from the sitemap generation. ... View more

Feature request from PierAlex, posted on GitHub Jul 14, 2016 It would be useful to have the ability to send newsletter selecting one or more customer groups and or adding and deleting single customers from the 'mailing list'. Thanks ... View more