Install

Works with Drupal: 7.x

Using Composer to manage Drupal site dependencies

Downloads

Download tar.gz 372.69 KB
MD5: aad5b6bbdf089c6f3550b3f04fd8ca1e
SHA-1: 19ca56a1fd3821b9a8aa76ea8bcfd07ddab2e9e7
SHA-256: 50b2eedf9468d2baed5feb513114e6b1ddd3fdec1f7321fef22c3ad99bd93333
Download zip 506.3 KB
MD5: 68f9f348fde52c7a62195ae8f88ed245
SHA-1: 0a12c5223d81006a50e0f9ebf75581e55f8a184a
SHA-256: 4c63e2d8fe28d33508d17da734661e0cf2e55ff08843cdbcb626de78744ef0e3

Release notes

Drupal Commerce 1.10 is primarily a bug fix release that addresses the vulnerability described in SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure and a variety of smaller bugs. The information disclosure fix includes an update hook that cleans usernames created by a default checkout completion rule to remove the host name from e-mail addresses used as usernames.

However, because we want to avoid automatically changing usernames on sites using the default anonymous checkout completion rules, we require the related update hook must be explicitly enabled via a site variable (commerce_checkout_run_update_7103). The security advisory linked above describes two methods of setting that variable either via a change in your site's settings.php file or the direct setting of the variable through drush. If you do not do this, the update hook will not run and the usernames will remain as they are.

Commerce Username Update is a companion module to this release that provides a form in the Commerce configuration menu where administrators can process the username update. It will be expanded to include notification features in a future minor release.

This release also includes new options in the payment method selection checkout pane to show a "free order" message when an order total is $0 and no payment methods are made available for the order. For sites that allow free orders, this requires you to configure your payment method rules to only appear when necessary - i.e. through the use of a condition checking the order total or balance on the payment method rule.

Changes since 7.x-1.9:

  • Information disclosure fix by klausi: clean usernames of e-mail address host names when they are created using the mail_username token as with the default anonymous checkout completion rule.
  • #1803516 by joelpittet: fix a typo in the cart block view function.
  • #1095814 by dpolant: revisit line item order_id setting issues by directly saving line items via commerce_line_item_save() when an order form is submitted instead of using the entity metadata wrapper's save function.
  • #2096361 by bendiy: change the product match function from using a db_select() to an EntityFieldQuery with a related query alter.
  • #2023491 by roderik: ensure error classes are set on form elements generating errors on checkout forms.
  • #2223171 by rszrama: include an option to display a message for free orders when no payment methods are displayed in the checkout form.
  • #2251957 by a.milkovsky: fix a typo in an order access argument.
  • #2229901 by lsolesen: return the payment transaction created by the Example Payment Method module for use in Commerce Kickstart 2.x.
  • #2230179 by bdragon: properly serialize empty data arrays when saving price fields.
  • #2217899 by tonylegrone: update the menu items for order and product delete forms to use the delete access control check.
  • #2215163 by stevesmename: remove the unnecessary dependency on rules_admin from the Product Pricing module.
  • #2217241 by jian he: properly check access for non-administrative users to access the local action on the order form to simulate checkout completion.
  • #2216963 by znerol: fix the inconsistent default shopping cart refresh frequency with a new constant.
Created by: rszrama
Created on: 10 Sep 2014 at 16:29 UTC
Last updated: 2 Aug 2018 at 04:56 UTC
Security update
Bug fixes
New features
Insecure
Unsupported

Other releases