Jump to content

Welcome, Guest!

By registering with us, you'll be able to discuss, share and private message with other members of our community.


  • Content Count

  • Joined

  • Last visited

  • Days Won


Raymond last won the day on May 12

Raymond had the most liked content!

Community Reputation

9 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Bonjour J'ai visité votre site web, le formulaire n'est pas gratuit comme vous l'écrivez ici. Est-ce une erreur ? Ou en fait, ce module n'est pas gratuit ? Merci. Cordialement
  2. Hello The problem of too many combinations coming out from automatic generation can be solved with modules done for this purpose, but are costly and the one that tried is also not really a big solution according to my tastes, I decided to not use it any more, it costed me over 200$, do ravage in the core, is hard to style, lots of mangles and work to be done to have it working I found out another module that for my case is even more useful, but does work on a different principle and do not do the same, just similar thus, do cost much less and do not require any core modd. It is very useful to create "solutions", e.g., let's make the example of a customized PC. I do create all the products that can be used with a barebone base PC, the module allow to associate all those products in the product page of the barebone PC, with possibility to add some rules, eg. required, optional, single item, more items and so on. So the client open the page of the barebone PC, can also find some basic combinations done with the built in combination system (or as many as needed, that falls back to the combination system, is independent, eg. colour of the case, power supply, format etcetera...), then in the the lower part of the page find a section created by the module where there are menus to add items, eg. memory, hard disks, cables, cards, fans, whatever one want to propose to the client. The client choose some combination, then choose the additional items and build up its own custom PC, the module create a list of the "solution" so created and calculates the price, then in the cart everything is added as usual. Works pretty well, is not heavy, does not slow down the system. What I really miss, and have seen no one module doing that in the many e-commerce platforms around, are the logic conditions, e.g: - if you do use component A then show components D, G, H - if then component H is chosen do show components T, X, W and so on... - if at a certain point the client do choose a Component Z prompt the client to add the component B as a useful option, or, if the client choose components Z AND component W, force the client to add the component J as mandatory, and so on... It would be wonderful to see some kind of product builder using logic conditions into TB In the past I tried to get more information in such systems and discovered that do exist what are called "rules engines" to be used in such systems.... https://martinfowler.com/bliki/RulesEngine.html Thank you Best regards
  3. Hello As far as I understood the point is to mitigate what I think that can be called the "third man in the middle attack", I think that Datakick's examples are pretty much pertinent and self explanatory, using these headers and in particular CSP makes it more difficult. From a non expert point of view as mine is it appears anyway quite clear and logical that when the server and the browser are instructed to not accept "things" coming from sources that are not expressly declared as legit can sensibly reduce the possibility for anyone to inject on the fly instructions to deviate the client toward a malicious server and receive deceptive data or vice versa. I understand that the use of these headers makes the whole work of the developer/implementer/merchant all more difficult and also costly, however, while of course as a principle is always good to try to patch everything in the software used it is also as well always good as a principle to try to patch everything else that gets in relation with the software used, thus I think that hardening the methods with which the client server communication happens is just logic and a better practice. As a matter of fact 100% security is maybe never achievable, but the harder is to get around security protocols the better are the chances that an attacker fails, so why not at least try to implement all what is reasonably possible to do? The CSP rule I did set is extra permissive, I also use the mod_security using WAF rules from Comodo, at the moment almost everything seems to work well, I need to study more on this and I will report here my findings, anyone interested please participate to this initiative, it would be very good to find out the proper "recipe" to have a good CSP policy that works fine with TB. Thank you Best regards
  4. Hello Everybody Doing searches in order to have my SSL and then the Headers set right I had to begin to reason about one specific header, the Content Security Policy header aka CSP. This header must be set in specific ways depending on the software used in the domain, CSP rules must be set specific for a given software or groups of software used on the domain, e.g if a person do use TB must have the proper rules in the CSP header in order to have it working right and at the same time harden the security of the website. While searching I stumbled upon an interesting module done for wordpress, it analyses all the broken requests after implementing a CSP rule and output the formatted string to be added to the CSP rules set in order to have wordpress work fine. So I thought to express this wish, would be very nice to have a native TB module doing this task, the principle is very simple, the user build the website installing all the modules needed and so on, when done do install the module to check the broken requests, thus do implement a simple restrictive CSP header in the httpd.conf file, then uses the website, the module record the broken requests and output the formatted rules to be added to the CSP header, with a few cycles of this routine should be able to figure out the "perfect CSP rule" for this specific TB installation.... Btw, I also found this post on prestashop forum where people do talk of this problem, seems that is a complex thing due to lots of inline stuff from within PS and from outside PS, I guess that for TB is the same. https://www.prestashop.com/forums/topic/614928-prestashop-is-not-compatible-with-content-security-policy-csp/ I tried to implement a very very permissive CSP policy to start with, everything seems work fine so far: Header always set Content-Security-Policy "default-src 'self'; font-src *; frame-src *; img-src * data:; media-src * data:; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" However, with this rules the CSP header is there just for formal reasons, that according to the principle expressed by some allegedly security experts that having a very permissive CSP header is anyway better than having none. In conclusion according to me would be nice to have a decent CSP header to rely on for TB. So I launched a "quest"in another thread, whoever is interested in creating the "perfect CSP rule" for TB please read it: Thank you Best regards R.
  5. Hello I am working on my server to get a high rate for what is concerning SSL and Headers, so far I managed to get TLS v1.2 and 1.3, disabled v1 and v1.1, added an amount of headers to avoid low security grade, so I did implement the following headers: X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy, Permissions-Policy, Strict-Transport-Security For this header Content-Security-Policy aka CSP I did set a very permissive rules set, which allows practically almost everything, so it is not really effective, however having it is anyway better than not having it at all: Header always set Content-Security-Policy "default-src 'self'; font-src *; frame-src *; img-src * data:; media-src * data:; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" Now using this CSP rule almost everything works fine, but I would like to begin to build a proper rule set to be used with Thirty Bees so to be able not only to score a higher mark for security policies from crawlers and engines but also effectively harden the security of the shop. For what is concerning TB itself, which would be the minimum rules set to be used to not have troubles? E.g. in a TB 1.2 installation I am testing on using the rules set posted above if I try to use the core updater there is a problem: ================== Version to compare to: request failed, see JavaScript console The dropdown menu does not work, so it is not possible to choose a version, in the Java console I read this: Content Security Policy: a resource on https://api.thirtybees.com/coreupdater/master.php was blocked by the configuration of the page (“default-src”). jquery-1.11.0.min.js:4:25949 Request to https://api.thirtybees.com/coreupdater/master.php failed with status 'rejected'. controller.js:102:15 ================== So even using such a very liberal rule set some functionalities are broken, of course for emergency cases it is always possible to remove this CSP string from httpd.conf, restart the Apache service, do the update, put back the string in httpd.conf, restart Apache and is done, but how much better would be to know which is the magic string that do allow TB to work fine and at the same time have an extra protection layer on the website? I thought that is a common interest for every merchant/developer to define a CSP for TB core and native modules at least, I am not expert and fond enough to do it all by myself, but I am pretty confident that can be done together here in the forum. My idea is to remove the unsafe rules one at a time, check what happens in the debug console and add the appropriate rules to have it working right. E.g. the request rejected above does not fall into any of the rules, so fall back to default-src 'self'; I imagine that adding the domain api.thirtybees.com will solve the problem, but with which correct syntax should be added? Should be added to the default-src rule? Or it is better to add another specific rule for this kind of requests? Anyone who is interested in creating "the perfect CSP" string for TB please do participate to this "quest". The main gola is to have a CSP string that allow TB core and native modules to work without problems and that do prevent other operations, so to harden the shop installation, if then people want to add more rules to have third parties modules and other stuff working that can listed as extra. By the way, searching how to solve this task I stumbled upon a Wordpress module that automatically report the blocked requests after introducing a basic restrictive CSP header in the server, then automatically output the formatted CSP string to have everything working right, I think that it is interesting for TB a native module of this kind, I add this proposal also in the "feature request time" topic. P.S.: the website I used to check the headers is this one https://securityheaders.com I tried to check what the biggies do and surprisingly not many do implement all the suggested headers and also some do not implement the CSP header. I do not really know how much this is going to affect a website for non security related matters, e.g. ranking, obviously biggies are a case a apart and are favoured not matter what, however, I thought that in general having these headers set up is maybe better than not have it. I used this website to check SSL: https://www.ssllabs.com/ssltest/analyze.html While on a website one can get even a A or A+ mark for what is concerning SSL if no proper headers are adopted too there are still many ways to perform exploits on the website, I read some comments telling that are important and that the SSL test alone is incomplete, giving a false reassurance of not carried out together with a headers test. I would like to know more about, what is your opinion in this respect? Thank you Best regards R.
  6. Hello I installed this module GDPR PRO now version v2.1.15 with TB1.2 + Panda theme v 1.5.5, presented same errors as described above, solved the issue in the same manner, the complete list of substitutions to be done is here below: createDatabaseCustom instead of createDatabase dropDatabaseCustom instead of dropDatabase createMissingColumnsCustom instead of createMissingColumns createColumnCustom instead of createColumn getDatabaseColumnsCustom instead of getDatabaseColumns After substituting all these words will be available for installation After installation as ALM wrote above in fact seems that the acceptation of the policy is not saved, each time the visitor refresh the page or visit any other page the popup appears back. This however is not a bug, after installation it is necessary to configure the module, in the configuration panel on the right top corner click on the "GDPR enabled modules" button, there set up at least one module to be shown to the client in the warning popup in the front office, save and go to the front office to check, the popup will appear, click on "more info" button, see how now the module you did setup is shown, then click accept, try to refresh the page or navigate in other pages, the popup should not appear any more. Thank you
  7. Hi Slick Yes, it is where I looked, found no errors logged concerning the issue I got. So I got no info about. Ok, now I do concentrate to conclude more important tasks, will get back on this afterwards. Thank you so far
  8. Hi Datakick Thank you I found a log folder in the root, the latest error reported is not about the issue I got, I did search in the folders and found only few log folders/files and none is related to this issue Where do I find the error log?
  9. Hi I am sorry, as you asked where it comes from I recalled that is not a built in feature, you are right, these two modules custom tabs and related products do come from sunnytoo transformer and panda themes... Thank you for the answer, helped me making up my mind about, I was thinking that were a couple of built in features... ^^ (being a merchant and having to deal also with all this techy stuff can be very distressing, sorry..) This TB1.1 installation is transplanted from another server, so when I transferred the installation I expected some problems with the PHP version if not using the same one, and in fact it did not work on latest PHP 7.4. However switching it downwards from version to version i noticed that with 7.1 begun to work and I left it there as seemed fine, so at the moment this vhost is setup to work as follow: Distro Name: CentOS Linux release 7.9.2009 (Core) PHP: php-fpm Php Version: 7.1 Apache: Yes Apache Version: 2.4 Nginx: Yes Nginx Version: 1.6 Now that I understood my mistakes and confusion I tried to reset the module custom extra tab, apart the fact I lost some data which I need to retrieve, I noticed that anyway does not work as expected, in fact form within the product edit page does not work the same way, meanwhile the tabs created within the module do work, same faulty behaviour. On the other server worked fine, in this new one not. Can maybe depend on the php version used or some missing php module/extension? I know that his is not an issue of TB itself only at this point, however if anyone knows about such a problem any tip is welcome. Does anyone know which is the higher PHP version in which the transformer theme modded by the sunnytoo guys do work well with tb1.1? Thank you.
  10. Hello On a TB 1.1 installation I have created a time ago the extra tab in a product, and all worked pretty fine. I cloned that same product and noticed that the extra tab was not created. So I begun to try to create same tab in in those cloned products and I noticed that when I click save it does not work, the message "saved" does not appear, when I get back in the panel to check I see that nothing was saved in fact. i tried to modify the content of the tab in the same product from which I cloned those new ones, the same happens, there is no way to save anything. Then I tried to create a new product and create the extra tab in it, same results, does not save anything. The debug mode is active, but I see no error message. What should I check to discover what is causing this? Update, trying to add related products I got the same error, does not save, no error messages, nor the message saved appears, getting back to the tab to settle it nothing of what I selected appears...
  11. Hi This is my opinion, it is not about keeping on the 1.6 version, but about getting rid f the amazing amount of troubles and lacks in prestashop + getting rid of a company that did a good job creating/developing prestashop but also kept in it a lot of nonsense and caused many troubles in the time. One of the things they did that the more kept punching in the eyes is how version after version same bugs and inconsistencies where left there and how bad was their update system. Personally I always had a double feeling about prestashop, good on a side and a nightmare on the other. When then they did 1.7 and tried it I deemed it terribly bad and soon understood that could not become any better for me in the time, that because the languages translation system, which just horrible, rigid, lengthy, slow, absurd I would say. In PS 1.7 I saw no special improvements, on the contrary I saw a regression to worst standards, I just could not understand the choice to cripple the translation system in such a bad way. I do not know about the other users' experience in this respect, but for myself I learnt to not trust at all the prestashop company and their marketplace, I had many frustrating experiences, became allergic to them. That's my 5 cents about. Happy that TB was done and that is kept alive.
  12. Hi Lesley I understand, and yes, much care about how to create and manage the catalogue and all the rules would be needed if those features are used. Sure is that if a seller do not pay enough attention and do not keep up a rigorous logic would end up with some messy situations or worst even quite a mess. However, that would be up to the seller, if does setup a logical clear scheme would take the advantages, if begin to mess up the catalogue would surely end up with many products that cannot be bought. That said, I still think that would be good to have the opportunity to use these features, not all e-commerce shops do sell "simple" products in which it is sufficient to have same carriers and same payment methods for all products. Personally as a seller I would be more than happy to have the features I mentioned, I know that some extra care should be taken, but this is part of our job as sellers. As an example, in some shops a few core products do the big part of sales, for the seller is much more important to have those specific groups of products fixed in a very precise and proper way according to the case, if a client want to buy also other side products which cannot fit in the same cart due to restrictions it is not a great problem, the important thing is that they can proceed with the core product, the problem of the side products can be very easily solved explaining to the client that must do another separate order with all the side products, that can be included in the core product info as an example, or communicated at the sign up time e.g. " welcome Mr X, thank you ....etc..., If you want to buy other products other than CORE PRODUCT; please do a separate order, or just contact us and we will help you ...." With that I just want to underline the fact that clients can be very happy to deal with unusual shops as long as they can concentrate on the core interests that they have, in a way it can even be positive to stimulate a direct contact or in general to keep the attention focused on the core reason for which the client landed on the shop. According to me there is no strict need to keep the e-commerce platform "dummy proof", the special features can be there, who do not need it do not use it, who do play with it and fail can reset and try again in better ways, who need it and know what is doing can take advantage of it, on the contrary no special features=less chances, it is that simple IMHO. Thank you for the information given so far, was pretty useful, I already fixed a few things. Thank you Best regards
  13. Hi Lesley If the seller do create a payment method and assign it to a special carrier, and assigns certain products to be shipped with that carrier do not enable clients to use other payment methods for those specific products, that, although a sort of reverse logic is used, do work and and solve the problem, this kind of compromise solution is fine enough even though according to me would be much more logically linear the possibility to assign a payment method directly to products, however, it is a workaround and there is nothing wrong in using it. Now let's say that the seller for all other products decide that clients can chose which payment method they prefer, and can also chose which carrier they prefer, for all these other products how can the seller let the client have a discount only if decide to pay with bankwire transfer and not let the client have the discount if decide to pay with credit card, but, at the same time let the client chose one of the several carriers available? The only idea that comes to my mind is to create a double for each carrier, one telling to the client e.g. "Pay with bank wire and ship with DHL, you get a discount X%" and the other one "ship with DHL", this would work, but is not an easy going workaround and does not look good in several respects. To look good he client should be just prompted to chose a carrier and chose a payment method, if do chose a payment method that impose a surcharge or allow a discount should be settled within the payment configuration itself, that is what I think every client expects to see, easy, clear, two clicks and done. In my opinion forcing the clients to read a lot of extra not needed options and the seller e.g. to deal with a double amount of carriers' configurations, e.g. update the shipping fares in more carriers and so on.... is not a good thing, nor very attractive for those who do not know yet thirty bees and are evaluating which software to adopt for own shop or a client shop. Even though in fact somehow is possible to solve these issues with workarounds I still insist that would be a very nice thing to have it settled in a more straight and simple way, so ability to assign a payment method directly to products and in the customized payment module add the possibility to directly add a discount or a surcharge (eg. for COD payment) without the need to create a cart rule. In my opinion that would be greatly appreciated. Thank you Best regards
  14. Hi Haylau thank you, will check it out next month
  15. Hi Lesley, thank you Yes, it works, I settled the customized universal payment module a time ago and did not remember that allows to choose a carrier, went back into that panel, and yes, the method you suggest works, so that is covered. What I could not do is to set a discount without a coupon that can be applied only to clients who chose to pay with bank wire. When creating a rule for the cart if no coupon code is created the discount is applied to everyone, if a coupon is created the problem is only half solved because the client need to receive it before placing the order, furthermore if that code is shared also clients paying elseway might try to use that same coupon code. So maybe could be good to add to the cart rules configuration panel the possibility to indicate that a discount is valid only with certain payment methods Thank you
  • Create New...