- πΊπΈUnited States TomTech
Automatically closed because Drupal 7 security and bugfix support has ended β as of 5 January 2025. If the issue verifiably applies β to later versions, please reopen with details and update the version.
Recently we had a customer email us because they had somehow been charged 6x their total order amount, resulting in overdraft fees on their account (as well as having the duplicate charges in general). In drilling into this, I have discovered that the function commerce_paypal_ipn_invoice() is called at least twice: once at commerce_paypal_ec_set_express_checkout() before the page redirect, and again at commerce_paypal_ec_do_payment() during the form validation phase.
That function does nothing but return $order_id . '-' . REQUEST_TIME, meaning all calls to it will result in a unique number being generated.
There is a PayPal setting to allow customers to reject duplicate invoices for orders, and that's something we have turned on; however since Commerce PayPal's EC integration will never return a duplicate invoice, this sanity check is bypassed.
The errors the customer received (and the reason why they had been charged multiple times) was "A successful txn has already been processed for this order" and yet somehow the customer was able to continue to charge their account. This seems like a major problem and definitely is a UX issue, since errors are not properly translated into halting the checkout process.
I would suggest we save the Invoice ID in to the $order->data property to ensure that as the order progresses through checkout the correct (and original) invoice number is returned as expected.
Possibly related: #1803950: Double Payments Shown (Charged Once) and No Email Notifications β
Closed: outdated
2.0
PayPal EC
The change/bugfix cannot be fully demonstrated by automated testing, and thus requires manual testing in a variety of environments.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Automatically closed because Drupal 7 security and bugfix support has ended β as of 5 January 2025. If the issue verifiably applies β to later versions, please reopen with details and update the version.