Have upgraded to 4.3.9 (from 3.0.5) - a driving force in the decision was the API and all the possibilities this opened up...
So have been starting to evolve some automated processing for "back office" use via the api. I was shocked to find the following in the order data output. Ok, so I would ONLY ever call the api over https BUT for those who don't know or understand the impact this is a major issue imho.
Coupled with the fact that passwords ARE STILL being sent via new user sign up email confirmation this is a security minefield - once again, imho!
Please, if anyone can advise in which template or script I can defeat this output being included in the API output, it would be greatly appreciated! If no response here I will be digging anyway to find it myself.
[payment_method] => Array ( [payment_id] => 18 [company_id] => 1 [usergroup_ids] => 0 [position] => 0 [status] => A [template] => views/orders/components/payments/cc_outside.tpl [processor_id] => 1000 [a_surcharge] => 0.000 [p_surcharge] => 0.000 [tax_ids] => Array ( )
[localization] => [payment_category] => tab2 [processor_params] => Array ( [merchant_id] => [REDACTED!] [access_code] => [REDACTED!] [password] => [REDACTED!] [transaction_type] => SALE [currency] => 826 [cv2_mandatory] => [REDACTED!] [country_mandatory] => [REDACTED!] [state_mandatory] => [REDACTED!] [city_mandatory] => [REDACTED!] [address_mandatory] => [REDACTED!] [postcode_mandatory] => [REDACTED!] ) [payment] => [REDACTED!] [description] => Secured By [REDACTED!] [instructions] =>