Page MenuHomePhabricator

Record actual amount charged regardless of what's in session
Closed, ResolvedPublic2 Story Points

Description

  • Donor clicks $5 button in banner, gets to our form
  • We initiate a $5 transaction with GlobalCollect
  • Before the donor enters their credit card info, they click the $2 button, maybe in another window
  • We update our server's session data about the donation attempt to say the amount is $2
  • Donor finishes the payment in the $5 form
  • We actually charge $5, which is what they intended to give
  • The $2 in session is what gets recorded in Civi and on reciept

We need to update our data at the resultswitcher to make sure we're recording the right donation.

Event Timeline

Ejegg created this task.Oct 10 2015, 12:18 AM
Ejegg updated the task description. (Show Details)
Ejegg raised the priority of this task from to Unbreak Now!.
Ejegg added a subscriber: Ejegg.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 10 2015, 12:18 AM

Change 244829 had a related patch set uploaded (by Ejegg):
GlobalCollect: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244829

Change 244833 had a related patch set uploaded (by Ejegg):
Astropay: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244833

Paypal needs no fix since we don't record those from DonationInterface. Amazon is fine because we post back the amount in the same request as we make the payment API calls and queue the message.

Looks like Worldpay is high risk here - even if the donor fills out their credit card details and submits in the page with the initial donation, we will charge them the amount in session, which could be more than they wanted to give!

Change 244836 had a related patch set uploaded (by Ejegg):
Add 'amount' to debug logging

https://gerrit.wikimedia.org/r/244836

Change 244829 merged by jenkins-bot:
GlobalCollect: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244829

Change 244833 merged by jenkins-bot:
Astropay: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244833

Change 244836 merged by jenkins-bot:
Add 'amount' to debug logging

https://gerrit.wikimedia.org/r/244836

Change 244847 had a related patch set uploaded (by Ejegg):
GlobalCollect: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244847

Change 244848 had a related patch set uploaded (by Ejegg):
Astropay: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244848

Change 244849 had a related patch set uploaded (by Ejegg):
Add 'amount' to debug logging

https://gerrit.wikimedia.org/r/244849

Change 244847 merged by Ejegg:
GlobalCollect: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244847

Change 244848 merged by Ejegg:
Astropay: record charged amount, not session amount

https://gerrit.wikimedia.org/r/244848

Change 244849 merged by Ejegg:
Add 'amount' to debug logging

https://gerrit.wikimedia.org/r/244849

Ejegg set Security to None.Oct 13 2015, 5:07 PM
Ejegg edited a custom field.

Fixes deployed for AstroPay and GlobalCollect, work still needed on Worldpay

atgo added a subscriber: atgo.Oct 14 2015, 9:13 PM

Is this a dupe of T115053 ?

atgo added a comment.Oct 14 2015, 9:29 PM

And is it related to T111436?

Yep, it's the root cause of T115053 - I just made this task 'cause I hid that other one from myself and couldn't put it in sprint! Also wanted to collect the info on the general problem and track progress on fixing it for each gateway.

Ejegg claimed this task.Oct 15 2015, 8:05 PM
Ejegg reassigned this task from Ejegg to cwdent.Oct 16 2015, 8:09 PM
Ejegg added a subscriber: cwdent.

Passing this along to @cwdent to implement the fix for Worldpay.

awight added a subscriber: awight.Oct 20 2015, 11:42 PM

I take back my objection here, this sounds like a great fix!

With Worldpay ESOP we don't send the amount initially in the iframe request (there isn't a field for it). The auth/charge steps pull the amount to charge from the session so whatever's there will be the canonical amount and the same as what's in contribution_tracking. So basically a donor can have n iframes open but they will all charge for the amount typed into the most recently requested one.

Note from our conversation: there is logic to check the session's order_id, and stop if there's a mismatch. Perhaps that's not working?

Also, ejegg pointed out that Worldpay would still have this issue, if it's happening...

cwdent closed this task as Resolved.Oct 23 2015, 5:47 PM

Deployed

DStrine added a parent task: Restricted Task.Oct 26 2015, 8:14 PM
atgo removed a subscriber: atgo.Mar 30 2016, 10:03 PM
mmodell removed a subscriber: awight.Jun 22 2017, 9:44 PM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptJun 22 2017, 9:44 PM