Paypal Express ActiveMerchant 集成
我正在关注 Ryan Bates 的 Railcast 146,它确实很有帮助。但是,我尝试从流程中删除购物车对象,然后单独处理订单。我遇到的问题是如何确定使用两次的金额:一次用于设置购买,然后一次用于实际执行。这就是我所采取的做法,但它暴露了 return_url 中的金额,我认为这可能是不好的做法:
class OrdersController < ApplicationController
def express
response = EXPRESS_GATEWAY.setup_purchase(params[:amount],
:ip => request.remote_ip,
:return_url => new_order_url(:amount=>params[:amount]),
:cancel_return_url => root_url
)
redirect_to EXPRESS_GATEWAY.redirect_url_for(response.token)
end
def new
@order = Order.new(:express_token => params[:token], :price_in_cents=>params[:amount])
end
然后在视图中,我添加一个包含金额的隐藏字段,以便在创建订单时它具有金额内置(我在订单模型中添加了一个price_in_cents字段)。它工作得很好,但是将金额暴露为参数可能有点不确定。最后,购买代码如下所示:
def purchase
response = process_purchase
transactions.create!(:action => "purchase", :amount => price_in_cents, :response => response)
cart.update_attribute(:purchased_at, Time.now) if response.success?
response.success?
end
简而言之,如何在不传递参数中的金额的情况下执行此操作?
谢谢!
I am following Ryan Bates' railcast 146 and it is really helpful. However, Im trying to remove the cart object from the process, and just process an order individually. The problem I am having is how to establish the amount which is used twice: once to setup the purchase, and then once to actually execute it. This is what I have resorted to doing, but it exposes the amount in the return_url, which I think is probably bad practice:
class OrdersController < ApplicationController
def express
response = EXPRESS_GATEWAY.setup_purchase(params[:amount],
:ip => request.remote_ip,
:return_url => new_order_url(:amount=>params[:amount]),
:cancel_return_url => root_url
)
redirect_to EXPRESS_GATEWAY.redirect_url_for(response.token)
end
def new
@order = Order.new(:express_token => params[:token], :price_in_cents=>params[:amount])
end
Then in the view, I add a hidden field with the amount so that when the order is created it has the amount built in (I added a price_in_cents field to the order model). It works fine, but exposing the amount as a param may be a little iffy. Finally, the purchase code looks like this:
def purchase
response = process_purchase
transactions.create!(:action => "purchase", :amount => price_in_cents, :response => response)
cart.update_attribute(:purchased_at, Time.now) if response.success?
response.success?
end
In short, how can I do this without passing around the amount in the params?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在 url 中发送金额是一种非常糟糕的做法 - 它允许人们更改价格并以他在 URL 中指定的金额购买您正在销售的商品。
我可以看到解决这个问题的两种方法:
1. 您可以对传递的参数进行加密,并从 URL 中解密。了解如何加密此处
2. 您可以创建一个新实体来保存购买价格(或者如果您正在销售特定商品(因为您没有使用购物车) - 您可以传递该商品的 id 并在您购买商品时查询其价格)需要它)。像这样的事情:
<代码>
<代码>
Sending the amount in the url is very bad practice - It allows one to change the price and purchase what ever you are selling for the amount he specifies in the URL.
I can see two ways around this issue:
1. You can encrypt the parameters you pass, and decrypt them from the URL. See how to encrypt here
2. You can create a new entity that holds the price of the purchase (or in case you are selling a specific item (since you are not using a cart) - you can pass the id of this item and query for it's price when you need it). Something like this:
谢谢你们的意见。我最终将金额存储在用户的会话中,例如
session[:amount],然后在完成该过程后立即将其设置为nil。这样它对用户是隐藏的,并且省去了创建新对象或加密的麻烦。Thanks for your input guys. I ended up storing the amount in the user's session, something like
session[:amount], and then setting it tonilas soon as they finish the process. That way its hidden from the user and saves me the trouble of creating new objects or encrypting.