The quantities in stock are not verified in case of payment with PayPal or similar gateway

[Codencode]

Prerequisites

• I understand and accept the project's code of conduct.
• I have already searched in existing issues and found no previous report of this bug.

Describe the bug and add attachments

As the remaining quantity in stock is not checked when paying with PayPal or other forms that require a gateway payment, it is possible to complete the order and pay for an out-of-stock product even if this is not permitted.

I attach a video of the problem
01 - screen-capture.webm
02 - screen-capture.webm

This issue is related to this other one (#10762) which was resolved with this PR: #26048

But the problem remains in case of external payment.

Do you think we could somehow "limit" this problem?
If so, can you do it directly from Prestashop, or should the check be performed from the specific payment module?

Thank you.

Expected behavior

Payment should not be allowed

Steps to reproduce

1. Set a product quantity to 2 in the BO
2. Add this product to cart, 2 units
3. Go to the last step of the checkout (payment), just before you click "Confirm with an obligation to pay"
4. Now, change quantity of the product to 1 in back-office
5. Click "Confirm with an obligation to pay" on last step of the checkout (payment), però selezionando il pagamento con PayPal
6. You are now able to pay while you shouldn't

PrestaShop version(s) where the bug happened

8

PHP version(s) where the bug happened

No response

If your bug is related to a module, specify its name and its version

No response

Your company or customer's name goes here (if applicable).

Codencode

[florine2623]

Hello @Codencode ,

I can't reproduce your issue with a native payment module.

Screen.Recording.2024-04-22.at.11.21.38.mov

You should contact the develop of the module directly.
Or maybe there's another way to reproduce this issue with a native module ?

Waiting for your feedback.

[Codencode]

Hi @florine2623
the problem does not occur with native modules.
With the ps_checkout module the payment takes place (the user's money is deducted on PayPal) but it does not create the order as the item is not available.

Thank you.

[florine2623]

Thanks for your report @Codencode ,

Could you send the request directly to the support section : https://help-center.prestashop.com/contact ?

[Codencode]

Hi @florine2623 the problem does not occur with native modules. With the ps_checkout module the payment takes place (the user's money is deducted on PayPal) but it does not create the order as the item is not available.

Thank you.

I correct myself,
regarding the ps_checkout module, the system does not create the order and does not deduct the user's money.

[Codencode]

Could you send the request directly to the support section

I created an ISSUE on the PayPal module repository: 202ecommerce/paypal#325

[clotairer]

I understand the issue with a Paypal module payment, but, that not the role of a payment gateway to manage the availability of the stocks but to the core. Only the core of PrestaShop sould manage if it's OK to create an order or not in this condition during the "validateOrder" action of the PaymentModule class.

Nevertheless, all payment gateways (I don't speak about PayPal only) cannot manage a refund after valid payment if the order failed for any reason. I suppose, it kindly helpfull to create an order without enough stock instead of an orphelin payment without order on PrestaShop ? Perhaps that's the reason why the core doesn't stop teh order creation. Not sure of that.

At least, there always was a timelaps between the user payment on the "bank portal" and its return on the shop. But, in a regular way, an order is created with a "reserved stock" different of the "physical stock". If you deduce a stock manually in the backoffice you deduce directly from the physical stock you increase the probability of this issue.

[Codencode]

I understand the issue with a Paypal module payment, but, that not the role of a payment gateway to manage the availability of the stocks but to the core. Only the core of PrestaShop sould manage if it's OK to create an order or not in this condition during the "validateOrder" action of the PaymentModule class.

Nevertheless, all payment gateways (I don't speak about PayPal only) cannot manage a refund after valid payment if the order failed for any reason. I suppose, it kindly helpfull to create an order without enough stock instead of an orphelin payment without order on PrestaShop ? Perhaps that's the reason why the core doesn't stop teh order creation. Not sure of that.

At least, there always was a timelaps between the user payment on the "bank portal" and its return on the shop. But, in a regular way, an order is created with a "reserved stock" different of the "physical stock". If you deduce a stock manually in the backoffice you deduce directly from the physical stock you increase the probability of this issue.

Hi @clotairer,
the problem is that checking ValidateOrder would be useless as the payment has already been made.
Basically Prestashop, from version 8, when you click on the order confirmation button, checks the quantity of products in the cart, it does so by executing an ajax call to the endpoint stored in the "window.prestashop.urls.pages.order" variable and passing as parameter "action" => "checkCartStillOrderable", here is the code I am referring to:

PrestaShop/themes/_core/js/checkout-payment.js

Line 173 in 2937cae

const resp = await $.post(window.prestashop.urls.pages.order, {

The PayPal module should do the same thing as the ps_checkout module which checks the quantities before confirming the payment. Here is the module code I am referring to:
https://github.com/PrestaShopCorp/ps_checkout/blob/6bba634f4ccdd5d0a01f2879f3073f963f9040e8/controllers/front/validate.php#L52

This method, in case of invalid quantities, raises an exception that prints an error in the cart,
https://github.com/PrestaShopCorp/ps_checkout/blob/6bba634f4ccdd5d0a01f2879f3073f963f9040e8/controllers/front/validate.php#L312C1-L315C27