Commerce Paymill

There is something on commerce_paymill.module in line 276:

drupal_goto('admin/commerce/config/payment-methods/manage/commerce_payment_commerce_paymill/edit/3');

Why 3? It looks like it's specific value in most drupal installation (since it's OK initially), but not for general purpose... What if anyone accidentally deletes that action and later recreates it? It won't be 3.

"Configure" link for this module in Module list page (admin/modules) sends to a wrong page when Payment UI or Commerce UI are not enabled. Please, show a warning message in that case telling the user that for configuring options, Payment UI and Commerce UI are required to be enabled. Right now I can't remember if Rules UI is also required for configuring, please, check it also.

manual review:

1. You have a submodule that has a completely different name, which is bad practice. Usually all modules in one project should have the same prefix to avoid name collisions. You could move paymill_api to its own sandbox? But I think that additional module is really not necessary, just move your library hooks to the main module.
2. commerce_paymill.js: use Drupal.behaviors instead of jQuery(document).ready(). See http://drupal.org/node/304258 and http://drupal.org/node/756722
3. "define('PAYMILL_BRIDGE', 'https://bridge.paymill.com/');": all constants need to be prefixed with your module's name to avoid name clashes.
4. "global $_commerce_paymill_settings;": why do you need a global variable? Please add a comment. Better use $form_state?
5. "form_set_error('', $transaction['Error']);": has the error message been sanitized before? Text from third parties is untrusted user provided input, so we need to protect against XSS exploits. Could you either use check_plain() or add a comment where in the paymill API sanitization is done?
6. commerce_paymill_loadjs(): this is vulnerable to XSS exploits. If I enter 5'; alert('XSS'); var x = '5 as public test key I get a nasty javascript popup on the checkout page. You need to sanitize user provided text before printing. And this case you should use Drupal.settings to pass down PHP variables to javascript, which will automatically escape malicious text.

Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

manual review:
commerce_paymill_transaction(): @return doc is missing, see http://drupal.org/node/1354#functions

But otherwise looks RTBC to me now! Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

The Git commits are not connected to your user account. You need to specify an email address. See http://drupal.org/node/1022156 and http://drupal.org/node/1051722

But otherwise there were no objections for more than a week, so ...

Thanks for your contribution, gazoakley!

I updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.