TreasureChest 1.3 released

Hi romanum,

For existing customers, I plan to offer:
- free upgrades for minor revisions,
- free or very cheap upgrades for major revisions
- cheap upgrades for new minor versions (a fraction of original purchase)
- paid upgrades for major versions (e.g. things like new payment gateways)

For explanations about the differences between minor/major versions and revisions, see the first message of this thread.

Between two major revisions is a very noticable improvement (and a lot of work!).
For example, I spent the last three days programming the 1.1.2 revision to come soon.
Currently, it works fine with Firefox, but there are still compatibility issues with some browsers.

The major difficulty I encounter is that depending on the page (catalog page or product page) and its initial state (cart visibility, buttons visibility), Javascript can fail on some elements that were not initialized. And the in-page embedded carts bring a lot of problems concerning this. I often have to move chunks of Javascript code, add conditions, a.s.o.

I will need a few days to automate the possibility to get upgrades.
Meanwhile, I will ship revisions by email to existing customers.

The top priority is now put on revision 1.1.2.
Then comes preparing the documentation.

As you’re fairly new to MODx, I would advise you to wait a little bit if you can.
If you don’t know the MaxiGallery snippet, you can learn it meanwhile.
It is a very good complement of TreasureChest.

The demonstration on my site exclusively uses MaxiGallery to show all pictures. TreasureChest’s picture features (coming in TC 1.0) are not used at all by the demo. Example page: http://www.altipoint.ch/index.php?id=225

You can also get a first experience setting up charge-free TreasureChest 1.0 (www.treasurechestcart.com) so that you’re already be familiar with the module if you get the 1.1 version.

For those interested, I offer TreasureChest 1.1 consulting and setup service.
There is a contact form on my website for this.

Regards,

Julien

With what license are you releasing this?

With what license are you releasing this?

For the basic distribution ("TreasureChest For Autodidacts"), the answer was in your previous message:

If it’s a derivative of the original TC, it has to be GPL, since that’s the license of the original TC. It can be charged for, but once you get it you can do whatever you want with it.

as long as you respect the GNU/GPL.

TreasureChest 1.2

TreasureChest 1.2 is now officially released.
Compared to the 1.1 version, TreasureChest 1.2 brings the following improvements:

1) +1/#/-1 widgets now fully implemented (add-one / count / remove-one)
and synchronized with the operations in the Thickbox view of the cart

2) Accented characters fully supported in option names without need to encode them,
also for sites which are not in utf-8.
(typically the sites which pages are encoded in latin-1)

3) When a summarized cart view is embedded into a page and you do some change
in the detailed thickboxed cart view, the changes are automatically
reported in the summarized cart view on the page in the background.
(You can test from the demo.)

4) The thickbox displaying the cart closes automatically when the last product in it is removed.

4) Corrections on stylesheets bringing better compatibility for Macintosh users.

5) Setup simplified and installation notes improved.

TreasureChest 1.2.1 -- Major security fix Confidentiality fix

TreasureChest demo is available again: www.altipoint.ch/demo_treasurechest

TreasureChest 1.0 to 1.2.0 were affected by an important security a confidentiality issue coming from the original version: the merchant PayPal token id and merchant email address could be read from the visitor using tools like Firebug by scanning the data returned by an ajax "POST" request sent by "treasurechest.js" to get configuration data.
This was fixed with TreasureChest 1.2.1 and critical data are no more sent to the user-agent (i.e. browser).

Temporarily, the "checkout" button was removed from the Thickbox.
It remains available on catalog pages. It can of course also be added to product pages if wished.

Quote from: Jul at Jun 21, 2010, 07:08 PM

TreasureChest 1.0 to 1.2.0 were affected by an important security issue coming from the original version: the merchant PayPal token id and merchant email address could be read from the visitor using tools like Firebug by scanning the data returned by an ajax "POST" request sent by "treasurechest.js" to get configuration data.
This was fixed with TreasureChest 1.2.1 and critical data are no more sent to the user-agent (i.e. browser).

Why is this a security issue? What harm could be done with this information?

Why is this a security issue? What harm could be done with this information?

Well. I tried to figure out what harm could be done when knowing the merchant business email and the PayPal merchant’s pdt token. I cannot see much so far and consequently corrected my previous message. In fact the problem of TreasureChest’s older versions relatively to those data resides more in confidentialiy than security.

Explanations
Non encrypted business email in the source code of product pages, which concerns TreasureChest 1.0 is problematic spam robots can read it.
Since TreasureChest 1.1, the PayPal form is ciphered.
With TreasureChest 1.1 and 1.2.0, the merchant email was still visible in an array storing key-value data. Maybe some sophisticated spam-robots could read it from the DOM. However I never received any spam at the merchant email of the dummy demo e-commerce. Since TreasureChest 1.2.1, your merchant email address is also hidden to Firebug users. All buyers that completes a purchase will see your merchant email in the confirmation email that PayPal sends to them, but this highly limits potential spam.
Hiding the merchant email also reduce the risk of people sending pseudo PayPal transaction confirmations to your IPN system. However, for each transaction, TreasureChest (since original version 1.0) opens a socket through which it sends the informations relative to the cart and asks PayPal to verify the transaction. This is done behinds the scene and you cannot see it. If PayPal does not confirm the transaction, your sales database is not updated.
Moreover, TreasureChest checks for duplicate transactions. This means that the same transaction cannot be sent twice to the database. So, for maximal security, don’t remove old sales from the sales table, unless you have thousands of records that slow down your system too much.

Concerning the pdt merchant token, it is used by the PDT service. This service asks PayPal to return informations about some transaction, so that they can be displayed on your "Thank you" page. For this, on need both the transaction id and the pdt token. If a buyer can find your PayPal PDT token, and combines it with its transaction id, he could potentially ask PayPal all informations about his purchase, which corresponds to the PDT placeholders displayed here. Most of them can be shared with your buyer, but maybe you don’t want your buyer being able to get the informations corresponding to [+pdt.protection_eligibility+] telling if you benefit from some protection as merchant. I think however that a buyer would fail in cheating with you a merchant token, as the pdt destination page is set in your PayPal merchant account.


In conclusion:
- TreasureChest 1.0 offers a reasonable level of security.
- TreasureChest 1.1 to 1.2.0 offer better security and email confidentiality through the form ciphering.
- Treasurechest 1.2.1 is a "confidentiality" fix.

TreasureChest 1.3 will come with even more security.

Code optimization:

The jQuery library and most plugins were externalized outside of the treasurechest.js script.

The demo is running again.
Additional optimizations in the coming days could cause temporary disruptions.

Hi,

I’m looking at setting up a small online store for a small club - TreasureChest1.2 looks promising but I can’t find your site a list of features. Am I missing something?

So the things I’m interested in are -

• In addition to paypal what other payment options are available?
• Can the user printout an order form with an order number? i.e. the order is "pending" and they can then send in a cheque as payment.
• Again another pending order option where the user can place an order and then use direct bank transfer to pay for it quoting the order number.
• Can I set the system up to apply discounts for registered members? Although we’ll sell to anyone I’d like registered members to get a % discount on all orders
• The original treasurechest mentioned stock/inventory control - how does this work in TC1.2? The demo works for the front end user but I’m keen to see how it works in the backend manager
• Finally do you have any links to active online shops using TC1.2?

Regards

Adrian Cherry

Hi Adrian!

Please find here below answers to your questions.

In addition to paypal what other payment options are available?

Currently, TresaureChest only accepts PayPal.
However, credit cards may be accepted directly from PayPal and without having a PayPal account if this option is activated in the PayPal merchant account. This is the case with the demo. Unfortunately, I could not test this feature since I don’t have c.c. myself. We can perform tests with a 0.01$ dummy product if you want.

Additional payment methods could potentially be added, but each one presents important differences at some point.
For this reason, I’m currently not sure if I would adapt TC or write a new cart system from scratch. The second option would take much more time but be better for long-term evolution. The problem is also a question of funding.

Can the user printout an order form with an order number? i.e. the order is "pending" and they can then send in a cheque as payment.

No, currently is no "pay later" option. However, I think it would be possible to hack the snippet and the underlying class so they update the database "sales" table. For this, one would need to call directly the "ipn" service or to add a new equivalent service. In TreasureChest’s backend is some droplist telling if the product was shipped or not. It would suffice to add an option telling that the product was not paid. To see the backend, you can install the TreasureChest 1.0 version. The backend of the 1.2 version is very similar.

Concerning bills, it would be necessary to call the "pdt" service and to fake PayPal. A little bit of hacking in TreasureChest code would be necessary. The vouchers that the "pdt" service outputs be set the way you want through the templates and the many placeholders. See for instance this picture: http://www.altipoint.ch/preview/copies_ecran_treasurechest/TreasureChest_example_detailed_voucher_annotated.png
You can also run the demo with a 0.01$ demo dummy product as it is fully functionnal.

Currently the transaction number is dynamically set by PayPal but we could use custom numbers if doing a "pay later" transaction.
I’m open to proposals for custom changes.

Again another pending order option where the user can place an order and then use direct bank transfer to pay for it quoting the order number.

If we implement the "pay later" option, then the user could write the number on his bank transfer. Then, it would be possible to update the status of the sale using the Sales Manager in TreasureChest’s backend.

Can I set the system up to apply discounts for registered members?
Although we’ll sell to anyone I’d like registered members to get a % discount on all orders

TreasureChest does not require registration as the buyer address is automatically retrieved from his PayPal account. However, you could install TreasureChest twice.
One install would be done in a reserved section that non-members cannot access.
Basically, the TreasureChest snippet can be saved with another name.

It would also be possible to hack the treasurechest.class.php file to apply discounts if a user is logged on as webuser. PayPal offers several fields to apply discounts. I’m not an expert with WebloginPE and this is not implemented in the current distribution.

As always with MODx, what you can do depends on how much you accepts making your hands dirty. ;-)

I’m currently writing a book about TreasureChest and I hope this will help.
Unfortunately I’m lacking time to finish it and the English version must not be expected before one month.

The original treasurechest mentioned stock/inventory control - how does this work in TC1.2? The demo works for the front end user but I’m keen to see how it works in the backend manager

It’s the same for TreasureChest 1.2 than for TreasureChest 1.0.
I agree, some screenshots of the backend lack.
I’ll try to prepare a few ones.
As mentioned above, you can also install TreasureChest 1.0 to see what the backend looks like.

Finally do you have any links to active online shops using TC1.2?

Unfortunately not yet. The demo is fully functional however and works like a true online shop. You can go up to the "Thank you" page displaying the voucher.

Regards

Julien