Jump to content
  • 0

Clear Dysfunction With Blesta's Workflow


Question

Client goes through checkout process for mydomain.com. Invoice is created, pending account is created. Doesn't pay.

 

Client comes back, goes through checkout process for mydomain.com. Invoice is created, pending account is created. Pays.

 

Goes back to account, applies credits to last invoice. After 5 minutes, account is provisioned.

 

Client sees unpaid invoice and pending account from previous checkout. Keeps receiving outstanding invoice notifications. Goes in and tries to cancel pending service.

 

Because first invoice went unpaid and account was not actually provisioned, Blesta stores same WHM username for both pending account and now active account. When user goes to cancel the pending account, Blesta instructs WHM to delete associated account from WHM, even though account was never created. But, because username is the same as the now active account, WHM deletes the now active account.

 

The result?

 

In Blesta, client sees one active service, one cancelled service, one closed invoice, one open invoice, and they have no active services in WHM.

 

This is all due to the fact that Blesta is creating pending accounts and invoices for clients prior to receiving payment. It also does not allow clients to void invoices and for some reason, allows them to cancel pending accounts that haven't even been created.

 

This is all very strange, atypical, and buggy behavior. I've now manually had to go in and hack the 'Manage' link out from non-active services to prevent this from happening. And I'm still going to have to go in and manually void outstanding invoices.

Link to post
Share on other sites

19 answers to this question

Recommended Posts

  • 0

I just did a full test as explained above, and the pending account cancellation did in fact delete the WHM account that was active.

 

This is a clear and very dangerous bug - a user that uploads content and sets up their website that tries to delete an old pending service a month later will suddenly lose all of their data in one fell swoop.

Link to post
Share on other sites
  • 0

That's not Blesta's fault the client was a stupid idiot and re-ordered twice is it? I've had clients do that so it's normal and they open a ticket and politely ask me to cancel it. If it's not then why don't you check orders and cancel non paid services? Or better still why not use a plugin created by Blesta to cancel unpaid services after x amount of time?

Link to post
Share on other sites
  • 0

I'm sorry - did you just say, as a professional hosting manager that I am now paying for, I should:

 

1) Check every single new order and manually cancel unpaid invoices and manually cancel pending services every single day?

 

2) Do it before every client that explores the checkout system accidentally deletes their own WHM account through a Blesta bug?

 

I realize you're economically bound to Blesta, but stop talking nonsense.

Link to post
Share on other sites
  • 0

I'm sorry - did you just say, as a professional hosting manager that I am now paying for, I should:

 

1) Check every single new order and manually cancel unpaid invoices and manually cancel pending services every single day?

 

2) Do it before every client that explores the checkout system accidentally deletes their own WHM account through a Blesta bug?

 

I realize you're economically bound to Blesta, but stop talking nonsense.

 

 

Do you run a business? If you work in a factory, you have employees doing the work, a manager checking everything is fine and a boss who overlooks everything in the factory. How hard is it for one person to check orders? Enable the order email notices and use a brain we was born with.

Link to post
Share on other sites
  • 0

I just did a full test as explained above, and the pending account cancellation did in fact delete the WHM account that was active.

 

This is a clear and very dangerous bug - a user that uploads content and sets up their website that tries to delete an old pending service a month later will suddenly lose all of their data in one fell swoop.

 

Can you provide steps to duplicate? What version of Blesta and the cPanel module are you using? Can anyone else duplicate this behavior?

 

Deleting pending services should never issue a cancel command with the module.

 

As for duplicate orders, the best way to go is to cancel those unpaid orders. @naja7host weren't you working on a plugin to cancel incomplete orders after a period of time? I believe we have plans to add this natively as well. For now, staff can perform this action manually.

Link to post
Share on other sites
  • 0

Hey Paul,

 

The steps are outlined precisely in the first post - I will reiterate:

 

1) Go through checkout process for domain.com

2) Do not complete payment.

3) Add duplicate service to cart, same domain.com

4) Complete payment.

 

When you go to your account, you will now see two pending services - both have the exact same WHM username.

 

After the invoice is paid, the associated account will be provisioned.

 

Then go in and cancel the other, still pending account.

 

The now active account will then be deleted in WHM.

 

I have confirmed that when deleting a pending service from the administrative interface, it does not appear to be sending a request to WHM. However when the client does from the front end, a request is being sent.

 

Blesta 3.6.1

WHM 56

 

Though the WHM version should have nothing to do with it. I can see the Blesta cancellation request in the logs.

 

Please test this on a live server to confirm it is happening and let me know. As previously stated, this is an extremely dangerous bug, as a user that has a live site may at any point delete a pending service from a previous checkout attempt, and in doing so will purge their entire WHM account without knowing it.

 

The only reason I discovered it to begin with is one our first sign ups did precisely this.

Link to post
Share on other sites
  • 0

Hey Paul,

 

The steps are outlined precisely in the first post - I will reiterate:

 

1) Go through checkout process for domain.com

2) Do not complete payment.

3) Add duplicate service to cart, same domain.com

4) Complete payment.

 

When you go to your account, you will now see two pending services - both have the exact same WHM username.

 

After the invoice is paid, the associated account will be provisioned.

 

Then go in and cancel the other, still pending account.

 

The now active account will then be deleted in WHM.

 

I have confirmed that when deleting a pending service from the administrative interface, it does not appear to be sending a request to WHM. However when the client does from the front end, a request is being sent.

 

Blesta 3.6.1

WHM 56

 

Though the WHM version should have nothing to do with it. I can see the Blesta cancellation request in the logs.

 

Please test this on a live server to confirm it is happening and let me know. As previously stated, this is an extremely dangerous bug, as a user that has a live site may at any point delete a pending service from a previous checkout attempt, and in doing so will purge their entire WHM account without knowing it.

 

The only reason I discovered it to begin with is one our first sign ups did precisely this.

I don't think that is what he meant he meant the actual version of the provisioning module inside blesta for provisioning whm/cpanel accounts 

as there a couple of modules that do that around here he needs to know if it is the official module inside blesta itself(comes with blesta by default) or if it is another module made by someone other than blesta.

Link to post
Share on other sites
  • 0

Hi Paul,

 

I can't log in or respond on the bug ticket you created on that other site, but I have this recommendation (let me know if it is likely you will take it otherwise I will start coding it myself):

 

Add an optional function in Blesta that is disabled by default, but allows administrator to enable. The functionality is as follows -

 

When a client service is being provisioned from pending to active, Blesta checks to see if there is another pending service with the exact same domain and exact same username, on the exact same server. If so, it will automatically delete that service (without using the module) and void its associated invoice.

 

The current mechanism that creates invoices and pending services for each checkout attempt is both odd and confusing, especially for customers that come back to their account. This will nip a lot of that and minimize the administrative efforts users have to expend to cope with these redundant things. It will also remove the possibility of this bug happening.

Link to post
Share on other sites
  • 0

@naja7host weren't you working on a plugin to cancel incomplete orders after a period of time? I believe we have plans to add this natively as well. For now, staff can perform this action manually.

 

the last 2 month i was totally full time for a personal work . yes i have the plugin in test period , i will release it soon ,i need just some tweaking now .

Link to post
Share on other sites
  • 0

Can you provide the file location of the fix so that I can manually apply it on my end? I've customized a lot of aspects and would rather implement it manually than risk losing other changes through updates.

Why not just re.ove the cancel button from the pdt file. That way you will not made any core file modification .

You can use my free plugin "Clean Orders" to clean the unpaid orders auto .

Link to post
Share on other sites
  • 0

Hi Naja,

 

Thanks for that - I have removed the button, but even so, if a client were to get creative and manually type the url in using an active account's modify link, they could still do this same thing. The repercussions of it happening are so great and my penchant for automating what I can makes it quite necessary to nip this problem.

 

I will look into your plugin, thanks.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...