Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Release notes
Drupal Commerce 1.10 is primarily a bug fix release that addresses the vulnerability described in SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure and a variety of smaller bugs. The information disclosure fix includes an update hook that cleans usernames created by a default checkout completion rule to remove the host name from e-mail addresses used as usernames.
However, because we want to avoid automatically changing usernames on sites using the default anonymous checkout completion rules, we require the related update hook must be explicitly enabled via a site variable (commerce_checkout_run_update_7103). The security advisory linked above describes two methods of setting that variable either via a change in your site's settings.php file or the direct setting of the variable through drush. If you do not do this, the update hook will not run and the usernames will remain as they are.
Commerce Username Update is a companion module to this release that provides a form in the Commerce configuration menu where administrators can process the username update. It will be expanded to include notification features in a future minor release.
This release also includes new options in the payment method selection checkout pane to show a "free order" message when an order total is $0 and no payment methods are made available for the order. For sites that allow free orders, this requires you to configure your payment method rules to only appear when necessary - i.e. through the use of a condition checking the order total or balance on the payment method rule.
Changes since 7.x-1.9:
- Information disclosure fix by klausi: clean usernames of e-mail address host names when they are created using the mail_username token as with the default anonymous checkout completion rule.
- #1803516 by joelpittet: fix a typo in the cart block view function.
- #1095814 by dpolant: revisit line item order_id setting issues by directly saving line items via commerce_line_item_save() when an order form is submitted instead of using the entity metadata wrapper's save function.
- #2096361 by bendiy: change the product match function from using a db_select() to an EntityFieldQuery with a related query alter.
- #2023491 by roderik: ensure error classes are set on form elements generating errors on checkout forms.
- #2223171 by rszrama: include an option to display a message for free orders when no payment methods are displayed in the checkout form.
- #2251957 by a.milkovsky: fix a typo in an order access argument.
- #2229901 by lsolesen: return the payment transaction created by the Example Payment Method module for use in Commerce Kickstart 2.x.
- #2230179 by bdragon: properly serialize empty data arrays when saving price fields.
- #2217899 by tonylegrone: update the menu items for order and product delete forms to use the delete access control check.
- #2215163 by stevesmename: remove the unnecessary dependency on rules_admin from the Product Pricing module.
- #2217241 by jian he: properly check access for non-administrative users to access the local action on the order form to simulate checkout completion.
- #2216963 by znerol: fix the inconsistent default shopping cart refresh frequency with a new constant.