From c80a86825f2ad37f0229074e50b590dba293fbcf Mon Sep 17 00:00:00 2001
From: paulcc <paulcc.two@gmail.com>
Date: Tue, 11 Aug 2009 14:07:16 +0100
Subject: [PATCH] use locally-loaded order to ensure proper session clearance

---
 lib/spree/paypal_express.rb | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/spree/paypal_express.rb b/lib/spree/paypal_express.rb
index 0643bcc..34fd29b 100644
--- a/lib/spree/paypal_express.rb
+++ b/lib/spree/paypal_express.rb
@@ -118,7 +118,9 @@ module Spree::PaypalExpress
   end
 
   def paypal_finish
-    opts = { :token => params[:token], :payer_id => params[:PayerID] }.merge all_opts(@order)
+    order = Order.find_by_number(params[:id])
+
+    opts = { :token => params[:token], :payer_id => params[:PayerID] }.merge all_opts(order)
     gateway = paypal_gateway
     info = gateway.details_for params[:token]
     response = gateway.authorize(opts[:money], opts)
@@ -126,7 +128,6 @@ module Spree::PaypalExpress
     gateway_error(response) unless response.success?
 
     # now save info
-    order = Order.find_by_number(params[:id])
     order.checkout.email = info.email
     order.checkout.special_instructions = info.params["note"]
 
@@ -172,9 +173,9 @@ module Spree::PaypalExpress
 
     flash[:notice] = t('order_processed_successfully')
     order_params = {:checkout_complete => true}
-    order_params[:order_token] = @order.token unless @order.user
-    session[:order_id] = nil if @order.checkout.completed_at
-    redirect_to order_url(@order, order_params) 
+    order_params[:order_token] = order.token unless order.user
+    session[:order_id] = nil if order.checkout.completed_at
+    redirect_to order_url(order, order_params) 
   end 
 
   def do_capture(authorization)