Say, we have setup a factory role, how to hidden customers emails for this factor administration role, and disallow factory to see all customers emails, please?
... View more
See more ideas labeled with:
We are using the magento 2.3.3 version with multiwebsite setup also we are using the MSI concept for inventory management. We came to following scenario where both websites are using same SKUs and handling for backorder is different on each website. Ex: website1 - Allow backorder website 2 - Not allow backorder Since by using MSI concept the inventory can be handled at website level, it would be good to provide an option in core magento that backorder feature also can be handled at website level instead of global level. Appreciate if you can pick this idea and provide a path or implement in future releases. Thank you.
... View more
See more ideas labeled with:
We are integrated the Third-party Shipstation and SKU vault, to integrate this it's a very simple step like we need to create a backend user with administrator roles and use those credentials into the Shipstaion and SKU vault dashboard for configuration. We did the same steps but due to 2FA it's not working for us, then at-last we disable the 2FA, and it's working fine now. Now the problem is as per Commerce cloud standard 2FA should be enabled for security reasons but due to this issue we are stuck, could you please help us with the solution to how could be connected Shipstation and SKU vault along with 2FA.
... View more
See more ideas labeled with:
Emails are sent out for all other order status updates except for "cancelled." I would like to request that emails are sent to notify customers when their orders are "cancelled."
... View more
See more ideas labeled with:
Hi, Recently I upgraded my site to 2.4.2, and found out for the in-store delivery option, stores have to be source with sufficient saleable quantity in order for customers to select them in the checkout shipping step. I think it would be nice to have an option to set up stores for pick up regardless of the quantity, so the user can select the location for pick up as long as there is positive aggregated stock from all the sources, and us merchant can ship the order to that location from other sources. Thank you
... View more
A mode of operation of a block cipher is an algorithm that describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Some of the modes of operation include Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB). ECB mode is inherently weak, as it results in the same ciphertext for identical blocks of plaintext. CBC mode is the superior choice as it does not have this weakness.Messaege encrypted with weak cryptography algorithm can be decrypted via brute-force attacks. 1. Use a strong mode of operation like CBC instead of ECB. 2. Use any authenticated encryption mode, such as GCM, EAX or OCB. For more information refer: https://www.owasp.org/index.php/Testing_for_Weak_Encryption_(OTG-CRYPST-004) Ex : $mode = MCRYPT_MODE_ECB $mode = MCRYPT_MODE_ECB, $initVector = false ) { if (true === $initVector) { // @codingStandardsIgnoreStart $handle = @mcrypt_module_open($cipher, '', $mode, ''); } traced in vendor\magento\framework\Encryption\Crypt.php Line: 57 and few other vendor files. CWE Code : CWE-327
... View more
See more ideas labeled with:
The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. 1. java.security.SecureRandom should be used instead of java.util.Random 2.Use Cryptographically secure generators that are strongly believed to be very difficult to predict. ex : var rand10 = Math.random().toString().substr(2, 10); this.boundary = '------RWWorkerFormDataBoundary' + Math.random().toString(36); Math.random() code traced in \lib\web\FormData.js (Line:46) and few other vendor files. CWE Code : CWE-676
... View more
See more ideas labeled with:
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.Attacker may be able to break the algorithm and compromise whatever data has been protected that may result in the exposure of sensitive information. 1.Do not develop custom or private cryptographic algorithms. 2.Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. For more information refer: http://wiki.scap.org.cn/cwe/en/definition/327 ex : $sha1Sum = sha1($contents); $cacheKey = sha1($routePath . $this->serializer->serialize($cachedParams)); if (!isset($this->cacheUrl[$cacheKey])) { $this->cacheUrl[$cacheKey] = $this->getUrlModifier()->execute( $this->createUrl($routePath, $routeParams) ); } in vendor\magento\framework\Url.php (Line:870) file, SHA1 used. We can use the modern crypto algorithm. CWE Code : CWE-327
... View more
See more ideas labeled with:
Command injection vulnerabilities take two forms: - An attacker can change the command that the program executes: the attacker explicitly controls what the command is. - An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. In this case we are primarily concerned with the second scenario, the possibility that an attacker may be able to change the meaning of the command by changing an environment variable or by putting a malicious executable early in the search path. 1.Applications should avoid incorporating user-controllable data into operating system commands. 2.Use library calls rather than external processes to recreate the desired functionality. 3.Ensure that all external commands called from the program are statically created For more information refer : https://www.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013) ex : $output = shell_exec($cmd); shell_exec() function used in multiple places. Example code path : vendor/laminas/laminas-console/src/Adapter/Virtual.php (Line: 171) protected function switchToUtf8() { shell_exec('mode con cp select=65001'); } and few other vendor files. CWE Code : CWE-77
... View more
See more ideas labeled with:
Password or key management issues occur when a password or key is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password or key management problem by obscuring the password or key with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password or key. Attacker can easily gain access to the system by breaking encryption. Example : $user_pass = base64_encode($auth_username . ":" . $auth_password); $user_pass = base64_encode traced in vendor\magento\framework\HTTP\Client\Curl.php (Line Number-173) and few other vendor files. public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); } and in the file path : vendor\magento\framework\HTTP\Client\Socket.php (Line : 179) public function setCredentials($login, $pass) { $val = base64_encode("{$login}:{$pass}"); $this->addHeader("Authorization", "Basic {$val}"); } CWE Code : CWE-261
... View more
See more ideas labeled with:
This is more of a general request to install the Magerun command (https://github.com/netz98/n98-magerun2) on every cloud install. Even though the bin/magento has opened a new "life" of CLI tooling, Magerun offers more and better commands for everyday debugging and QOL for developers. I strongly urge Adobe to consider this going forward.
... View more
See more ideas labeled with:
We used Magento Queue support extensively in our project, we even created a connector to use Amazon SQS instead of RabbitMQ (I intend to share it with the community soon). During a process of improving the performance of our consumer jobs, I found that the native message queue module uses MySQL to manage the lock of messages, which ends up competing with the IO of the other calls to the database. As we have a very high volume of messages processed per minute (+ 15k messages), the database ends up being unnecessarily overloaded with this native lock approach. As Magento already provides native support for using ZooKeeper to control the locking of cronjobs processes, it would be very interesting if this feature were also made available to Message Queue, reducing the unnecessary usage of MySQL database.
... View more
See more ideas labeled with:
Current Behaviour Enabling "Automatic Group Change" feature will change the Customer Group based on the user's selection for the current order and future orders. Problem Underneath the surface the Shared Catalog (B2B) functionality uses customer groups. When a shared catalog is configured for a company, Magento will assign a customer group (associated with that shared catalog) to the company user. Because of this, (permanently) changing the customer group using "Automatic Group Change" will in-directly affect the shared catalog which is assigned to a company user, thus breaking the Shared Catalog (B2B) when "Automatic Group Change" is enabled. Desired Behaviour "Automatic Group Change" actually emulates the customer group whilst in the order process rather than permanently changing the customer group.
... View more
See more ideas labeled with:
Per Google's documentation: "reCAPTCHA v3 introduces a new concept: actions. When you specify an action name in each place you execute reCAPTCHA, you enable the following new features: A detailed break-down of data for your top ten actions in the admin console Adaptive risk analysis based on the context of the action, because abusive behavior can vary. Importantly, when you verify the reCAPTCHA response, you should verify that the action name is the name you expect." From: https://developers.google.com/recaptcha/docs/v3#actions Associating an action name with each reCAPTCHA implementation location will allow us to have a more granular view of where bots are interacting with our forms/actions and react based on what we see in the reporting. Additionally, Google indicates that reCAPTCHA v3 will perform better with actions specified.
... View more
For the In-Store Pickup module with MSI, it would be incredibly helpful if, for stores like the ones I manage with only one location per Magento instance, Store Pickup could default to that location and bypass the 'Select Store' step altogether. Also, if you could bypass the proximity calculation. In other words, if a customer selected the 'Pick In Store' tab at checkout on a site with only one pickup source in the back-end, the store would already appear there as the selected location. This would streamline things for the customer, too (and likely lead to less phone calls from confused customers for us).
... View more
Hi Team, We are showing out of stock products, and in the case of configurable products price is not displayed if all children are out of stock even if Display Out of Stock Products is set to "yes". Can we have an option to display price for these type of products? Thanks SJ
... View more
See more ideas labeled with:
In Magento 2.X, admins must include the exact category path in an import file when assigning categories to products. This should be specified by category ID instead. Specifying by category path is tedious, and can create duplicated categories if there are any typographical errors, which is asinine. Category IDs are simple, accurate, and how every other ecommerce platform out there accomplishes this.
... View more
See more ideas labeled with:
Product item display: I would like the option to have the Magento 2 store show the current salable quantity in stock for a selected product, including changing that display when the customer chooses a variant of a configurable product. So instead of showing "In Stock" or "Out of Stock", it will show "<count> In Stock" or "Out of Stock".
... View more
See more ideas labeled with:
Currently when an admin session times out and you have to relog you find yourself in the dashboard no matter what you were doing before. In my opinion the user should be redirected back to the page that he was viewing. Most other CMSs and Ecommerce Solutions do this.
... View more
See more ideas labeled with:
Our payment partner - Adyen offers a feature to see which browser a customer used to make a purchase, so long as the order was made using their Card services. For other standalone payment methods such as Amazon Pay and PayPal; I would like to suggest an information box within the order history for the admins benefit only, so that we may track which Browser a person used to complete an order and monitor whether a certain browser and/or version is causing errors or failing to track conversions within Bing or Google. The idea came from the information found in our Adyen control panel.
... View more