Doing an upgrade from 4.1.9 to 4.6.0. The new security features are really pain in the ass. QT - PLEASE revised them and also make sure the config.php in the installation and the one in the upgrade packs have these features OFF by default - ALL of them.
I had to do the upgrade on a separate server and once db upgraded move it back to the production server - apparently the new security features are tied to IP (otherwise I don't see why login will fail) and generate the signatures in customers tables based on that... Please correct me if I am wrong
This causes failed logins once db is moved to a different server. While the 4.6.0 installation can be done with most of these features being OFF an upgrade cannot - the config.php in the upgrade packs has them all set to IP or ON and modifying them in the file causes MD5 checksum to fail so the upgrade cannot be performed...
I am all for security but when this security stands in the way of the normal store operation it is more of a software malfunction rather than improvement.
The only way to login was to go through "reset password" which by the way caused the following sql error
Quote:
[24-Jun-2013 19:46:32] SQL error:
Site : URL
Remote IP : IP
Logged as : LOGIN
SQL query : REPLACE INTO xcart_login_history (`userid`, `date_time`, `usertype`, `action`, `status`, `ip`) VALUES ('27124', '1372128392', 'P', 'check_critical_config_values_authenticity: * Notify the site administrator about SQL errors in the store by email *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Check if payment gateway response is coming from the IP's specified here (enter a comma separated list) *Login error notification to site administrator *Possible fake allowed IP addresses and/or the list of IP addresses awaiting registration *Site administrator email address *SMTP server *Notify the site administrator by email if unallowed request to site occurs *Use SMTP server instead of internal PHP mailer *IP addresses for X-Payments callbacks (optional)', 'restricted', '1136079444')
Error code : 1064
Description : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's specified here (enter a comma separated list) *Login error notification t' at line 1
Request URI: /store/xcart/admin/home.php
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:711
/store/xcart/include/func/func.user.php:1580
/store/xcart/include/func/func.security.php:141
/store/xcart/admin/auth.php:103
/store/xcart/admin/home.php:44
-------------------------------------------------
|
Note the marked in red/bold - unescaped '
I continue to see this error as well
Quote:
[24-Jun-2013 18:03:13] Error: Smarty error: [in main/orders_list.tpl line 54]: [plugin] modifier 'order_status_color' is not implemented (core.load_plugins.php, line 11 in /include/lib/smarty/Smarty.class.php on line 1093
|
Also doing an upgrade from 4.5.x to 4.6.0 results in no sql or php errors on the 4.6.0 cart but installing new unmodified 4.6.6 gold+ shows this php error
Quote:
[24-Jun-2013 19:52:16] PHP Fatal error: Cannot call method self::arg1PlusArg2() or method does not exist in /include/func/func.product.php on line 663
|
and this sql
Code:
SQL query : SELECT DISTINCT xcart_products.productid FROM xcart_products INNER JOIN xcart_products_lng_en ON xcart_products_lng_en.productid = xcart_products.productid INNER JOIN xcart_products_categories ON xcart_products_categories.productid = xcart_products.productid AND xcart_products_categories.avail = 'Y' LEFT JOIN xcart_category_memberships ON xcart_category_memberships.categoryid = xcart_products_categories.categoryid LEFT JOIN xcart_product_memberships ON xcart_product_memberships.productid = xcart_products.productid WHERE (xcart_category_memberships.membershipid = '0' OR xcart_category_memberships.membershipid IS NULL) AND (xcart_product_memberships.membershipid = '0' OR xcart_product_memberships.membershipid IS NULL) AND xcart_products.forsale='Y' AND xcart_products_categories.main='Y' AND xcart_products_categories.categoryid='9871' AND price >= '399.00' AND product >= 'Bronze Lite Class: H.264 8 Channel DVR - Apple IPHONE MAC OSX Windows PC Compatible' ORDER BY price ASC, xcart_products_lng_en.product ASC LIMIT 2
Error code : 1054
Description : Unknown column 'price' in 'where clause'
Request URI: /store/xcart/product.php?productid=53748&cat=0&featured=Y
Backtrace:
/store/xcart/include/func/func.db.php:320
/store/xcart/include/func/func.db.php:217
/store/xcart/include/func/func.db.php:516
/store/xcart/include/func/func.product.php:1527
/store/xcart/include/func/func.product.php:555
/store/xcart/include/func/func.product.php:459
/store/xcart/include/func/func.product.php:425
/store/xcart/product.php:327
Table pricing is missing from the above query so "price" is unknown.....
This is with fresh downloaded upgrade packs and new release installation pack
@Ksenia - I was not complaining although it will be a reasonable complain - RE product configurator. There are many XC owners with old carts which either bought this module before or had it included free with the cart and using it. The new XC line took this module out (fine) but not one upgrade pack checks if this module is in modules table and if it is ON and in the upgraded db and if not some sort of notification at least to turn it OFF. Every single upgrade I have done since this new line was introduced has the module (or the comparation module) ON and this causes the cart to not work after an upgrade - until this module is turned off or files are uploaded. The least the upgrade pack can do is turn off these module - not to delete their reference but so they don't load, and a note for admin on first login.... just an idea
Another one - not sure how you want to handle this - but since 4.6.0 has some module's new info like tags, url, author... with an upgrade the modules already in the db do not have this info - maybe it is not a bad idea to allow admin to re-categorize modules so the existing ones do not receive just generic "ALL" tag.... just something to think about, not a bug or anything....