From 097fbd394118d4093e9c4aa58f5f8e541358c2c3 Mon Sep 17 00:00:00 2001
From: Denis Ledoux <dle@odoo.com>
Date: Wed, 9 Sep 2015 13:31:00 +0200
Subject: [PATCH] [FIX] payment_paypal: receiver email different than business
 email

Check receiver_email only if receiver_id was not checked.
In Paypal, this is possible to configure as receiver_email
a different email than the business email (the login email)
In Odoo, there is only one field for the Paypal email:
the business email. This isn't possible to set a receiver_email
different than the business email.
Therefore, if you want such a configuration in your Paypal,
you are then obliged to fill
the Merchant ID in the Paypal payment acquirer in Odoo,
so the check is performed on this variable instead of the receiver_email.
At least one of the two checks must be done, to avoid fraudsters.

opw-648776
---
 addons/payment_paypal/models/paypal.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/addons/payment_paypal/models/paypal.py b/addons/payment_paypal/models/paypal.py
index 2bdaead2c5d..52c3ec768d4 100644
--- a/addons/payment_paypal/models/paypal.py
+++ b/addons/payment_paypal/models/paypal.py
@@ -227,10 +227,17 @@ class TxPaypal(osv.Model):
         if tx.partner_reference and data.get('payer_id') != tx.partner_reference:
             invalid_parameters.append(('payer_id', data.get('payer_id'), tx.partner_reference))
         # check seller
-        if data.get('receiver_email') != tx.acquirer_id.paypal_email_account:
-            invalid_parameters.append(('receiver_email', data.get('receiver_email'), tx.acquirer_id.paypal_email_account))
         if data.get('receiver_id') and tx.acquirer_id.paypal_seller_account and data['receiver_id'] != tx.acquirer_id.paypal_seller_account:
             invalid_parameters.append(('receiver_id', data.get('receiver_id'), tx.acquirer_id.paypal_seller_account))
+        if not data.get('receiver_id') or not tx.acquirer_id.paypal_seller_account:
+            # Check receiver_email only if receiver_id was not checked.
+            # In Paypal, this is possible to configure as receiver_email a different email than the business email (the login email)
+            # In Odoo, there is only one field for the Paypal email: the business email. This isn't possible to set a receiver_email
+            # different than the business email. Therefore, if you want such a configuration in your Paypal, you are then obliged to fill
+            # the Merchant ID in the Paypal payment acquirer in Odoo, so the check is performed on this variable instead of the receiver_email.
+            # At least one of the two checks must be done, to avoid fraudsters.
+            if data.get('receiver_email') != tx.acquirer_id.paypal_email_account:
+                invalid_parameters.append(('receiver_email', data.get('receiver_email'), tx.acquirer_id.paypal_email_account))
 
         return invalid_parameters