[FIX] payment_paypal: receiver email different than business email

Check receiver_email only if receiver_id was not checked. In Paypal, this is possible to configure as receiver_email a different email than the business email (the login email) In Odoo, there is only one field for the Paypal email: the business email. This isn't possible to set a receiver_email different than the business email. Therefore, if you want such a configuration in your Paypal, you are then obliged to fill the Merchant ID in the Paypal payment acquirer in Odoo, so the check is performed on this variable instead of the receiver_email. At least one of the two checks must be done, to avoid fraudsters. opw-648776
2015-09-09 13:31:00 +02:00 · 2015-09-09 13:31:00 +02:00 · 097fbd3941
parent 4626240d5d
commit 097fbd3941
1 changed files with 9 additions and 2 deletions
--- a/addons/payment_paypal/models/paypal.py
+++ b/addons/payment_paypal/models/paypal.py
@ -227,10 +227,17 @@ class TxPaypal(osv.Model):
        if tx.partner_reference and data.get('payer_id') != tx.partner_reference:
            invalid_parameters.append(('payer_id', data.get('payer_id'), tx.partner_reference))
        # check seller
-        if data.get('receiver_email') != tx.acquirer_id.paypal_email_account:
-            invalid_parameters.append(('receiver_email', data.get('receiver_email'), tx.acquirer_id.paypal_email_account))
        if data.get('receiver_id') and tx.acquirer_id.paypal_seller_account and data['receiver_id'] != tx.acquirer_id.paypal_seller_account:
            invalid_parameters.append(('receiver_id', data.get('receiver_id'), tx.acquirer_id.paypal_seller_account))
+        if not data.get('receiver_id') or not tx.acquirer_id.paypal_seller_account:
+            # Check receiver_email only if receiver_id was not checked.
+            # In Paypal, this is possible to configure as receiver_email a different email than the business email (the login email)
+            # In Odoo, there is only one field for the Paypal email: the business email. This isn't possible to set a receiver_email
+            # different than the business email. Therefore, if you want such a configuration in your Paypal, you are then obliged to fill
+            # the Merchant ID in the Paypal payment acquirer in Odoo, so the check is performed on this variable instead of the receiver_email.
+            # At least one of the two checks must be done, to avoid fraudsters.
+            if data.get('receiver_email') != tx.acquirer_id.paypal_email_account:
+                invalid_parameters.append(('receiver_email', data.get('receiver_email'), tx.acquirer_id.paypal_email_account))

        return invalid_parameters