Jump to content

tbirnseth's Content

There have been 319 items by tbirnseth (Search limited from 22-Oct 20)

Sort by                Order  

#343149 Cannot Log Into Admin Panel Due To Ssl Change- Cs-Cart 4.13

Posted by tbirnseth on 15 October 2021 - 08:59 PM in Security

Try manually clearing the cache by removing var/cache and all its sub-directories from your site using a file manager.  It will be recreated on demand.


Also ensure that you have changed the 'https' entries in config.local.php

#343138 Security Issues

Posted by tbirnseth on 14 October 2021 - 09:21 PM in General Questions




If you have a Multi Vendor Edition and want to use the automatic revenue sharing between the vendors, then in CS Cart (for European users) only Stripe Connect remains?! Which then has the consequence of not being PCI compliant, right?
Best regards



As I briefly looked at the stripe code, it appears that it is compliant.  I.e. it tokenizes that actual card number so what's stored is an encrypted form of the card that can't be decoded by anyone other than stripe (trying to put it in simple terms).


This question would best be answered by the cs-cart development team or the helpdesk.

#343096 Replace Item Name To Pruduct Id In Paypal Payment (Cs-Cart 4.13)

Posted by tbirnseth on 12 October 2021 - 09:19 PM in Configuration

it requires changes in the cs-cart paypal addon.  Not sure what your reference is to cpanel.

#343095 Security Issues

Posted by tbirnseth on 12 October 2021 - 09:18 PM in General Questions

You can be PCI compliant using payment methods that either process cards at their site and/or utilize iFrame or other technologies whereby the card data from a payment form is tokenized before it gets transmitted to your site.  Removing card data AFTER a payment is processed does NOT make you PCI compliant.  Capturing things like expiry data and last-4 of card number does NOT jeopardize your compliance but  ANY storage (even in memory) on your server of the card data (encrypted or not) makes you non-compliant in cs-cart since there is no reasonable way to decrypt encoded data and re-store it with a new encryption key.  The same encrypt/decrypt functionality is used for all encryption, not just cards..


My suggestion is to only use payment methods that conform to the criteria above (no transfer/storage of card data).


Of course, you can ignore it. But if you get a complaint, it can cost you thousands of dollars to become compliant and to undergo ongoing testing and validation.  Best to simply not handle the cards and thereby not have PCI become an issue.

#343083 Ask Seller A Question

Posted by tbirnseth on 11 October 2021 - 08:43 PM in General Questions

Submit a bug in bugtracker giving details of how to reproduce the problem.  Then wait...

#343082 Replace Item Name To Pruduct Id In Paypal Payment (Cs-Cart 4.13)

Posted by tbirnseth on 11 October 2021 - 08:41 PM in Configuration

It would require a customization to append the product_code to the product description (or to replace it).  Providing an example of what you have and what you want would be helpful.

#343081 Restrict Access To Main Administration Only - Not Vendor Admin

Posted by tbirnseth on 11 October 2021 - 08:39 PM in General Questions

It would require customization of the addon

#343080 Cs Cart Multi-Vendor Experience - 3 Month Review - The Good, The Bad And The...

Posted by tbirnseth on 11 October 2021 - 08:37 PM in Why CS-Cart

Why require shipping address for all orders but not billing address?

Because for the most part it's not needed.  You can add it by adjusting the litecheckout "layout" in design/layouts adding the fields you want.



Why to include non paid orders in the download list?

Assuming you are referring to "export orders".  You should be able to select specific status to download.  All order statuses is the default.



Why include a download button for products on non-paid orders?

Are you referring to EDP orders (electronic goods)?  Or are you referring to something in the admin?  Many merchants do their CC billing "offline" and hence need unpaid orders in a download to drive other applications or to drop-ship orders.  Any merchant worth their salt will not charge a customer until an order ships.  But most here charge at time of order.



Why the notification e-mail send to vendors is the same for users?

You can edit/modify the email that is sent to vendors in the email editor.


I'm surprised that after 2+ years using the product you haven't discovered these option on your own or by reading the documentation.

#343018 Security Issues

Posted by tbirnseth on 07 October 2021 - 09:03 PM in General Questions

Thank you, harmsmitsdev!


To the second question:


- Found that $config['crypt_key'] in config.local.php. What is the name of the safety technology behind this? Is it a certain type of encryption?


- Do you know how it is with "Stripe" as payment processor? Sure, the credit card number is transferred to the Stripe API - but is it also stored in the CS Cart database (even if it's only for seconds, because all status have "Remove CC info" enabled)?


Looking forward to your answer.


It uses Blowfish for encryption.


Using any payment method that does not use iFrames, 3D Secure or redirect to a secure card site for entry of card information is NOT PCI Compliant.  If you ever get a breach or one of your customers complains to Visa (et al) that their card was compromised from being used on your site you are up for a very expensive and long process of redemption.

#342982 Cs Cart Multi-Vendor Experience - 3 Month Review - The Good, The Bad And The...

Posted by tbirnseth on 06 October 2021 - 07:54 PM in Why CS-Cart

They are not being competitive to add-on developers. They just don't want a customer to have to buy 100 add-ons before their store is up and running. Its just not very customer friendly.


Also, a very large portion of the add-ons in this market has serious flaws. AlexBranding has had numerous SQL injection vulnerabilities in their add-ons, and some are just plain out badly programmed (300 database queries for product lables? cmon). All of this causes bad optics for CsCart, and loads their helpdesk even more. Also, they will have to bill the customer for the support since its not their add-ons that are breaking, which is just something they do not want.


Also, raising your prices 50% seems like a stretch. Maximum fee is 20% for the marketplace.

Don't think you have the context of what cs-cart was like 10 years ago as it relates to addon developer relationships.


So penalize or address the issues with developers who are providing junk.  I'm sure AlexBranding is still selling products via the Marketplace.


I can't use  my banking so everything requires more labor and time to process.  It breaks the systems I've setup to run my business for years without adding any value to me or to my customers.

#342961 Cs Cart Multi-Vendor Experience - 3 Month Review - The Good, The Bad And The...

Posted by tbirnseth on 05 October 2021 - 08:43 PM in Why CS-Cart

I don't think I've ever regretted a choice as much as I do now.


What are your top-5 issues?  Ar they theme/UI/UX issues?  Or functionality of the system?

#342960 What Happened To Just Cs-Cart?

Posted by tbirnseth on 05 October 2021 - 08:39 PM in General Questions

Also how current are you when you still show (offer?) CS-Cart basic and ultimate???

CS-Cart                USD 345     Multi-Vendor              USD 1250    Multi-Vendor PLUS           USD 3100 (2775)
CS-Cart Ultimate  USD 775     CS-Cart + YOUPI      USD 545      Multi-Vendor Ultimate       USD 7500 (6000)


Funny, never heard anyone complain that a reseller was selling products at a lower rate than the provider before....  A smart buyer would purchase a few licenses at the lower price while they could if they foresaw the future need for those licenses.

#342915 Storefront-Specific Administrators

Posted by tbirnseth on 04 October 2021 - 09:38 PM in General Questions

I'm a newbie, but isn't it a matter of admin panel => customers/vendors administrators and making sure the user you are adding is assigned to the specific store? I also use admin panel => customers/user groups and assign that to relevant tab when adding the new user.


Maybe it is different with ultimate (as I just have plus).


#342914 Cs Cart Multi-Vendor Experience - 3 Month Review - The Good, The Bad And The...

Posted by tbirnseth on 04 October 2021 - 09:37 PM in Why CS-Cart

Our addons utilize our own license/upgrade server (implemented nearly a decade before CSC came out with a solution).  Licenses are checked regularly and updates (by default) occur automatically.  We don't encode our addons..


When a request is made for a refund, we simply send the customer a checklist for complete removal and destruction and ask them to attest that they have done so.


CSC is encouraging encryption of addons purchased through the marketplace.  They consider it a service to the developers.  We choose not to sell directly through the marketplace. 

1) we'd have to raise our prices about 50% to do so,

2) volume of addon purchases for cs-cart is very low in relation to other platforms.

3) CSC used to see addon developers as partners and didn't replicate functionality in the standard product.  They stopped that several years ago so CSC is actually in competition with addon developers. 


The environment is less than friendly now days.

#342911 Learn Me Good, Please!

Posted by tbirnseth on 04 October 2021 - 09:12 PM in Developers' Corner

The api is an interface into the application from an external source.

Hooks are used to extend the functionality of cs-cart and many times that functionality is visible via the api (though not always).

cURL is just one method of connecting between sites.  Suggest you use the HTTP class instead since it will use the appropriate connection method based on your server environment.

#342910 Order Status Date

Posted by tbirnseth on 04 October 2021 - 09:09 PM in General Questions

Status history is part of our EZ Admin Helper addon.  It is optional functionality.  Docs are at https://ez-ms.com/docs/ez_maint.pdf

#342405 How Do You Add A Product To A Cart Through The Api?

Posted by tbirnseth on 14 September 2021 - 06:35 PM in General Questions

I have no idea what the specification of your inventory management system is for their API.

It's a development project specific to your targeted system.

#342404 Give Vendor Selective Permission To View A Document

Posted by tbirnseth on 14 September 2021 - 06:33 PM in Developers' Corner

@tbirnseth thanks for the help so far :-)


Oke. I have managed to do what I wanted. I have one last question though about payouts. Why is the order_id in the vendor_payouts sql table 0? Shouldn't it correspond to an actual order from the orders sql table? I'd like to use that in order to determine if a user has access to the order. The only way I can tell that a payout is linked to a order is by the comment... which is not that good.

Sorry, I have no idea.  All entries in my development DB with order_id == 0 are for payouts.

#342324 Give Vendor Selective Permission To View A Document

Posted by tbirnseth on 09 September 2021 - 04:43 PM in Developers' Corner

Company_id zero is for the merchant.  I.e. non-vendor actions.  All vendors are assigned a company_id.  So when the runtime.company_id is zero, you are running in the context of the store admin. When it's not, you're running in the context of the vendor.


In the frontend, everything is "running" as company_id zero and products have a company_id related to a vendor and that's what determines how orders are split.

#342290 How Do You Add A Product To A Cart Through The Api?

Posted by tbirnseth on 08 September 2021 - 07:09 PM in General Questions

You'll have to do two things:

1 - as you've done, create some form of inventory synchronization that runs at a frequency you want (assuming cs-cart is the slave and your inventory system is the master).

2 - Create a post controller to update your inventory system in real-time when an order is created debiting the products that were sold.  Your inventory system must support increment/decrement versus full amount to be successful.

#342288 Multivendor New Taxing Laws For Marketplace

Posted by tbirnseth on 08 September 2021 - 06:26 PM in General Questions

Then you will have to do custom calculation for the commission to deduct the tax on the commission from the vendor's payout.

You can try to report this as a defect to cs-cart and you can try to find a developer that will do the work for you.  The raw calculation is not difficult, but presenting the detail to the vendor so they can see it is cumbersome.

#342287 Give Vendor Selective Permission To View A Document

Posted by tbirnseth on 08 September 2021 - 06:21 PM in Developers' Corner

Your query for the documents should cover this.  I'd do something like the following in your controller that provides the data to your template.:

$company_condition = '';
if( $company_id = Registry::get('runtime.company_id') )
  $company_condition = "AND company_id=$company_id";
$sql = "SELECT your select criteria here WHERE 1 $company_condition"

#342158 Give Vendor Selective Permission To View A Document

Posted by tbirnseth on 02 September 2021 - 07:24 PM in Developers' Corner

Are you stating that when a vendor runs your custom 'mode' to show the document, that they see documents from other vendors?

#342157 Stripe Connect For Vendors

Posted by tbirnseth on 02 September 2021 - 07:20 PM in Why CS-Cart

What do yo do when you have an order from multiple vendors and only one of them is a strip user?

Seems like it would make most sense to only have one credit card payment method and that being Stripe.

#342156 Syncing Stock Levels With Vendors' Shops

Posted by tbirnseth on 02 September 2021 - 07:16 PM in General Questions

It would vary by vendor.  I.e. you'd need to be able to connect to their store and decrement/increment/sync their inventory.  If you have vendors with 10 different platforms for their shops, then you're going to need 10 separate integrations.  Not an easy problem.


The ideal situation (not sure if it exists or not) is a central inventory repository that is the master inventory for stores.  Then each site  will have once integration to modify inventory.  There is probably an inventory SAS out there somewhere....