I followed https://django-paypal.readthedocs.io/en/stable/standard/ipn.html to use PayPal Standard IPN of django-paypal for a Django e-commerce website.
I do not understand how should I use the signal in hooks.py to ensure the attributes such as 'business' and 'amount' are not changed by others. I cannot find any post that gives a good example about it. Most of them just ignore the hooks.py file. Is this file 'hooks.py' necessary for security? If yes, what should I return in hooks.py (for both scenarios: Attributes are found changed and payment fails; and attributes are not changed and everything is good to go)? Thanks so much.
views.py
from django.core.urlresolvers import reverse
from django.shortcuts import render
from paypal.standard.forms import PayPalPaymentsForm
def view_that_asks_for_money(request):
# What you want the button to do.
paypal_dict = {
"business": "[email protected]",
"amount": "10000000.00",
"item_name": "name of the item",
"invoice": "unique-invoice-id",
"notify_url": request.build_absolute_uri(reverse('paypal-ipn')),
"return": request.build_absolute_uri(reverse('your-return-view')),
"cancel_return": request.build_absolute_uri(reverse('your-cancel-view')),
"custom": "premium_plan", # Custom command to correlate to some function later (optional)
}
# Create the instance.
form = PayPalPaymentsForm(initial=paypal_dict)
context = {"form": form}
return render(request, "payment.html", context)
yourproject/hooks.py
from paypal.standard.models import ST_PP_COMPLETED
from paypal.standard.ipn.signals import valid_ipn_received
def show_me_the_money(sender, **kwargs):
ipn_obj = sender
if ipn_obj.payment_status == ST_PP_COMPLETED:
# WARNING !
# Check that the receiver email is the same we previously
# set on the `business` field. (The user could tamper with
# that fields on the payment form before it goes to PayPal)
if ipn_obj.receiver_email != "[email protected]":
# Not a valid payment
return
# ALSO: for the same reason, you need to check the amount
# received, `custom` etc. are all what you expect or what
# is allowed.
# Undertake some action depending upon `ipn_obj`.
if ipn_obj.custom == "premium_plan":
price = ...
else:
price = ...
if ipn_obj.mc_gross == price and ipn_obj.mc_currency == 'USD':
...
else:
#...
valid_ipn_received.connect(show_me_the_money)
question from:
https://stackoverflow.com/questions/65936900/how-to-use-hooks-py-of-django-paypal-to-check-payment-attributes-sent 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
