Merx – Plugin to create online shops with Kirby 3

, ,

since the order page is only really needed to confirm a successful order, I could imagine it would be possible to only display its contents for logged in users after a certain timeout period, or only render it once upon a successful order?

Another idea would be to simply not have the order page contain any valuable information, for example blackout name/address and only display something relevant like the status of the order (‘confirmed’, ‘shipped’)…

A confirmation email with full order details should be sent anyways, I believe. One could generate some random hash for every completed order, and have the confirmation mail include a link to the order page with the parameter attached, without which the page won’t display…?
ex. https://yoursite.com/orders/ucvrarofkwltkjhv?5581672209 -> page renders normally
ex. https://yoursite.com/orders/ucvrarofkwltkjhv -> redirects to homepage

maybe a combination does the trick: display the order page once after a completed order, afterwards only to logged in users, except if the hash string matches.

if you want to go even further, i guess using a secure enough string, one could provide the option to change order details, i.e if a customer made a typo in their address or something, without needing to log in – but I’m faar from a security expert so I will not be taking any chances with this! :smiley:

edit:
thanks for bringing this point up. i’ve implemented this in a very basic way and seems to be working:

// config.php
<?php
return [
'hooks' => [
'ww.merx.completePayment:after' => function ($orderPage) {
    $hash = bin2hex(random_bytes(16));
    $urlWithHash = url($orderPage->url(), ['params' => ['q' => $hash]]);
    $orderPage->update([
      'hash' => $hash,
    ]);
    sendConfirmationMail($orderPage, $urlWithHash);
    go($urlWithHash);
  },
],
[
'email' => $your_email_settings,
]

function sendConfirmationMail($orderPage, $urlWithHash) {
  kirby()->email([
    'from' => 'test@your.site',
    'to' => (string)$orderPage->email(),
    'subject' => 'Thanks for your order!',
    'body'=> 'Dear ' . $orderPage->name() . ', you paid ' . formatPrice($orderPage->cart()->getSum()) . '. Order summary: ' . $urlWithHash,
  ]);
//  templates/order.php
<?php 
if (!kirby()->user()) {
    $hashparam = param('q');
    if ($hashparam !== $page->hash()->toString()) {
        sleep(1); // increased safety measure idk if it's necessary
        go('/'); 
    };
}
?>

<!-- order page -->

edit2: updated the snippets above to properly redirect the customer to the order page after their purchase

5 Likes