- Issue created by @INAScon
A Mollie payment might be attached to the wrong order, which may lead to a completed order while no payment has been done.
Suppose customer A starts a new payment and is redirected to Mollie. While customer A is busy paying, customer B starts a new payment, completes the payment and Mollie reports the status 'paid' back to the webshop. Then customer A is aborting the payment and is redirected back to the webshop.
At that moment, the MollieRedirectEventSubscriber::setRedirectUrl loads the most recent payments, using loadByProperties, and gets the payment of customer B, which has the status 'paid'. So the payment of customer B is now added to the order of customer A and the order is reported as being paid/completed which is not correct!
As described in issue
https://www.drupal.org/project/mollie/issues/3267828
π
PaymentStorage loadByProperties is broken
Closed: won't fix
, the loadByProperties method does not really filter on context and context_id, but loads all recent transactions. This is because "The Mollie API does not support searching in any way.".
In the MollieRedirectEventSubscriber::setRedirectUrl method, we take the most recent payment from the retrieved payments, but that is not always the one with the right context_id.
The patch contains a workaround, which searches the list of payments for the proper context_id (which is actually the order_id).