Callum MacGregor Posted November 30, 2023 Posted November 30, 2023 Hello I think commerce fraud rules are broken. I had a transaction that came back with a 99% risk score from maxmind, but was approved anyway, despite the second rule in my anti-fraud rule set being to refuse any transaction with a score greater than 55%.
Marc Posted November 30, 2023 Posted November 30, 2023 Is that user a reseller? I ask as they are processed in order. If they are, it will be approved
Callum MacGregor Posted November 30, 2023 Author Posted November 30, 2023 No, the user is not a reseller.
Marc Posted November 30, 2023 Posted November 30, 2023 Please provide information on the user there so we can take a look for you. Just the user ID will do
Solution Callum MacGregor Posted November 30, 2023 Author Solution Posted November 30, 2023 (edited) User ID: 105995 The user is banned now, for obvious reasons, but wasn't at the time. EDIT: I actually think I might know why. Maybe Maxmind changed their API results format, because in the code within Rule.php, the expected syntax is 'riskScore'. But in the maxmind API response, its 'risk_score'. Rule.php: /* Score */ if ( $this->maxmind ) { if ( !$this->_checkCondition( $maxMind->riskScore !== NULL ? $maxMind->riskScore : round( $maxMind->score * 10 ), $this->maxmind, $this->maxmind_unit ) ) { return FALSE; } } Maxmind API response for this particular transaction (redacted): risk_score : 99 Edited November 30, 2023 by Callum MacGregor SeNioR- 1
Marc Posted November 30, 2023 Posted November 30, 2023 I have reported this as a bug, as you do appear to be on a later version than when the updates were done for their API. However please do ensure you update to the latest release when you can, to ensure you have the latest bug fixes
Callum MacGregor Posted November 30, 2023 Author Posted November 30, 2023 Thanks for reporting it as a bug. I'll await the fix as it does appear to still be an issue even in the latest update. Marc 1
Callum MacGregor Posted October 1 Author Posted October 1 (edited) So its nearly a full year since I reported this and it still hasn't been fixed @Marc. V5 hasn't even been released yet and V4 has already been forgotten about? Edited October 1 by Callum MacGregor Afrodude and SeNioR- 2
Marc Posted October 1 Posted October 1 I can chase this up, however 1 hour ago, Callum MacGregor said: V5 hasn't even been released yet and V4 has already been forgotten about? It would be worth looking at just how many bugs have been fixed within that year you mention. While I completely understand you chasing the bug in question given the length of time, I feel that saying we have forgotten about v4 in that time is a little unfair. Since the date this bug was added, there has been 4.7.15, 4.7.16, 4.7.17, 4.7.18, and we are currently working on 4.7.19. For context, you have looked at one bug here and decided 4 has been dismissed, but discounted all of this (and this is in addition to 15 alphas!): Quote Core Added the embed.php controller to the robots.txt file and added a noindex tag so that search engines don't index the content. Added the referring URL to the content of the Contact Form. Changed PHP recommendation to 8.1. Changed MySQL recommendation to 8.0.13. Improved the contact us form UX for guests. Improved the queued comments count handling. Improved the description for the similar content widget to highlight the different flow when ES is used. Improved the thumbImage template to add an alt tag and optimize lazy loading. Fixed a design issue on the error page. Fixed an issue in the DELETE /core/members/{id}/secgroup/{groupId} REST endpoint, where members could lose a secondary member group. Fixed an issue where calling the GraphQL API without a query would throw an EX0 exception. Fixed an issue with the x hashtag not being set. Fixed an issue where members with a false validation flag would be unable to login. Fixed an issue with reliability of logging early in the boot process. Fixed an issue with invalid page URL parameters. Fixed an issue where profile fields weren't shown on content submissions. Fixed a typo in siteSocialLinks template. Fixed an issue on the registration form, where one could submit any coppaa/birthday combination. Fixed an issue where tags were not showing in alphabetical order (when enabled) for search results. Fixed an issue where the webhook payload from Status Posts wasn't properly formatted. Fixed Member List Exports not properly formatting Yes / No and Checkbox profile fields. Fixed an issue where disabled login handlers would still be accessible in the UCP. Fixed an issue where the member webhook payload contained a false value for the allowAdminEmails key. Fixed an issue parsing <video> elements with multiple <source> elements when lazy-load is enabled. Fixed an issue inthe follower template where we didn't cast the page as integer. Fixed an issue where giving cookie consent to the IPS cookies would result in an empty page. Fixed an issue where web app icons may be cached by a CDN and show older versions. Fixed a regression when copy & pasting files in an editor by reverting a previous fix. Deleting a webhook will now also delete the data from core_api_webhook_fires. Removed the deprecated twitter_hashtag` setting. Removed the profile blocking from the default robots.txt file. Fixed an issue where Status Feeds don't update after saving statuses and replies. Blogs Fixed an IN_DEV issue where the Blog Edit form would result in an error. Fixed protocol relative URL's showing in Blog RSS Feeds. Fixed an issue where the "Content Approval Hint" wasn't shown while creating blog entries. Courses Fixed an issue on the courses quiz form, where images wouldn't be shown. Events Fixed protocol relative URL's showing in Blog RSS Feeds. Downloads Fixed protocol relative URL's showing in Blog RSS Feeds. Fixed an issue with the downloads/files/{id}/history endpoint where the update time wouldn't be changed. Fixed an issue where the search custom fields form showed a search related field. Fixed an issue where the file screenshots were not sorted correctly. Forums Improved the efficiency of the "Time to solved" chart. Improved the JSON-LD for Question Topics to show replies as suggested answers. Fixed an issue with the fluid view, where invalid forum ids would remain "forever" in the address bar. Fixed protocol relative URL's showing in Blog RSS Feeds. Fixed 2 faulty canHide permission checks. Fixed an issue where links to comments in archived topics would point to the wrong location. Commerce Improved the design on the ACP Support Form to improve the readability of the "GOTO" links. Fixed an issue where expired or canceled subscriptions did not always restore the appropriate member groups. Fixed an issue where Google/Apple Pay transactions may auto-capture when held by a fraud rule. Fixed an issue where the same PayPal transaction could be processed twice. Fixed an issue where 3D Secure status may not show correctly on some Stripe transactions. Pages Fixed an issue where the rss import feature skipped the title prefix value. Fixed an issue where records created via the REST API or RSS import wouldn't be linked correctly to other items. Fixed an issue where page record comments would create posts in archived topics when topic syncing is enabled. Fixed an issue with the database filter widget where the custom fields default value was set automatically. Fixed an issue where unsetting the "Remember filters" checkbox wouldn't remove the filter cookie. Fixed an issue where moving/deleting comments could stop the queue from processing. Gallery Fixed an issue where editing the gallery image details would remove the exif data. Fixed an issue where editing the gallery image or video details while the file is still uploading would not save the details. Fixed an issue where allowing a user to submit images to an album they do not own may not allow them to submit. Converters Fixed tags not displaying properly when rebuild completes before permissions are set. Platform Improved the un-archiving process for topics when archiving gets disabled. Changes affecting third-party developers and designers The POST /core/members/{id}/secgroup/{groupId} endpoint will log the changes to the member history. Fixed an IN_DEV issue in the checkout form, which was caused by an undefined variable. Fixed an INDEV issue where ignoring a member from his hovercard with INDEV mode would show a "CSRF KEY present in the url error". The Contact Form will now contain a "contact_referrer" value when the form is submitted. It is up to the calling extensions handleForm() method to determine how to handle this information. Performance improvements targeting MySQL 8. Changed the method signature for \IPS\Node\Model::setLastComment() and \IPS\Content\Item::resyncLastComment() Security Resolves an issue in Commerce when tampering with filters could cause errors. Core Improved the efficiency when getting attachments for topic statistics. Improved the efficiency of streams when "Content I posted in" is selected. Improved the Internal Embeds system to show better error messages for deleted comments & reviews. Improved performance of invalidating member sessions when using Redis. Added new Moderator actions by action statistics section. Fixed Checkbox Overview Statistics not working properly. Fixed Moderator Activity statistics table not displaying properly. Fixed Warnings over time statistics table not displaying properly. Fixed Suspended users over time statistics table not displaying properly. Fixed saved charts not displaying data correctly when custom form filters are used. Fixed Geographical Charts CSV download not generating properly. Fixed an issue where creating an activity stream in the ACP could be missing the clubs filter. Fixed an issue where the badge title would be shown as hash value in translated notification emails. Fixed an issue where the Posts Per Day Limit was also used for private messages. Fixed an issue in the members/warnings endpoint where the POST request could fail while giving a member a warning if warning actions were present. Fixed an issue where deleting content may send a delete request to Community Hive, even if it was not enabled. Fixed an issue where 3rd party applications with a broken/missing versions file would break the upgrader. Fixed an issue where members with a false validation flag would be unable to login. Fixed an issue where the Google Maps Autocomplete Integration could display an error message. Fixed an issue where not all clubs may be shown on the member profile clubs page. Replaced the hardcoded forum_id in the promotion achievement extension. Fixed an issue where the Signature Settings page couldn't be accessed to change the signature visibility, without permissions to edit signatures. Fixed an issue where new comment notifications posted in anonymous topics were showed as posted by an anonymous member. Fixed an issue with the post count value for the Mass Move /Mass Delete action. Fixed an issue where delayed deleted content from private clubs isn't shown in the ModCP - Deleted Content area. Fixed the default value for the Manifest related manifest_details setting. Fixed an issue where the guest group settings couldn't be edited. Fixed an issue where YouTube embeds may not lazy-load. Fixed an issue where the guest group settings couldn't be edited. Fixed an issue where admins with permission to manage stored replies could still not manage these. Fixed an issue where the club filters could cause an EX0 error when a not existing field was used. Fixed an issue where IP address pruning may not prune all IP addresses. Blogs Fixed an issue where moving a blog entry and sending a moderation alert may cause an error. Forums Added new Solved Topics by Group statistics section. Added new Unsolved Topics statistics section. Added Top Solvers statistics section. Courses Fixed Enrollments statistics table not displaying status correctly. Fixed an issue where sorting the enrollments in the ACP by name would throw an error. Fixed a missing language string. Fixed not translatable module titles. Pages Added ability for database categories to be added to Clubs. Views are now tracked for Pages. Fixed an issue where pages were not reindexed after WYSIWYG blocks were added/edited. Fixed an issue where record thumbnails which were created via the REST API hadn't the proper thumbnail size. Platform Page views for pages will now be included in analytics reports. Fixed an issue with the post before registering flow when content was identified as spam. Commerce Fixed an issue with the subscriptions member filter. Fixed a broken default value in the businessAddress. Fixed an issue in the commerce categorySidebar template. Events Added organizer, eventAttendanceMode, and VirtualLocation to events JSON_LD. Fixed an issue where guests searching for events could see an error. Downloads Fixed an issue in the Downloads File Embed Template where the comment count was shown for files in categories without comments. Gallery Fixed an issue where the vertical image widget wouldn't show the image in Chrome. Fixed missing alt texts for event cover images. Converters Improved conversion of attachments in WordPress, Attachments will now be converted inside posts instead of converting to media files. Changes affecting third-party developers and designers Added new core/admin/global template userLinkWithPhoto. Added new tableLangPrefix property for Dynamic Charts. Fixed adding new warning reason throwing an error while IN_DEV. Fixed an issue where the radio form template would result in an error if no htmlID was set. Fixed an issue where clean IN_DEV installations have a broken serviceworker if no manifest details were set. Updated HTMLPurifier to 4.17.0. Replaced JShrink with JS-minify for better Javascript compatibility. Removed jQuery History, removing deprecated 'onunload' handler. Core Added a maximum recommended PHP version warning. Removed the club join button from the clubs rules page. Improved the club overview and member page to include a page title. Improved the handling of the custom upgrade page to prevent errors. Improved bruteforce login protection across login attempts for multiple accounts. Fixed an issue on the profile where the solutions section would return an error if there's no class which utilizes solutions. Fixed alignment of club names in cover photos. Fixed an issue where embedding images could fail. Fixed an issue where the s3Delete task may not be enabled. Fixed alignment of club names in cover photos. Fixed an issue where unapproved content notifications did not use the item read status. Fixed an issue where the Device Usage block was displaying incorrectly. Fixed an issue where saved Points charts were not showing. Fixed an issue where announcements could be created with an end date in the past. Fixed an issuer where the timescale for saved charts would not change. Fixed an issue where the background task to move/delete content items could fail if the first comment was missing. Fixed the hardcoded content type name in the recognized content block. Fixed an issue where Moderator Activity charts were using the same date range. Fixed an issue where a not available item from the search index could break the daily stream subscriptions mail. Blogs Fixed an issue where the blog seo name wasn't updated when the blog name was changed. Fixed an issue where the blog grid view could have a broken pagination. Commerce Fixed an issue where hiding a subscription package in the ACP would throw an error. Fixed an issue where duplicate records could be generated for PayPal billing agreements. Fixed an issue where some stripe payments were processed twice. Fixed an issue where users could upgrade subscription plans at no charge if the expiration date had passed but the purchase was not marked as expired. Stripe non-card payments now use the updated version of the Stripe API. Events Fixed an issue where the offset wasn't casted to an integer which could have caused an error on the events overview page. Forums Improved the efficiency when viewing very large archived topics. Fixed an issue where forum post counts may not be accurate. Fixed an issue where moving the file storage location would not update the file path in the database. Pages Improved the php block code validation while saving the custom blocks content. Fixed an issue where club categories did not show in the list when club content is visible throughout the community. Fixed an issue where page template names could have a space in the title. Fixed an issue where creating new records via REST would fail when revision history is enabled. Fixed an issue where deleting a database wouldn't delete all it's categories. Fixed an issue where club category menu entries would be shown even if the visitor has no permissions to view the page. Fixed an issue where guests couldn't open the club categories page. Platform Fixed an issue where live topic notifications would be shown to for hidden/deleted topics. Changes affecting third-party developers and designers Removed a MySQL 5.7 specific optimisation for loading content item with lots of comments. Core Added new prune setting for failed requests in API logs. Improved the efficiency of unread content streams when using MySQL 8. Improved performance when replying to a content item or create a content item. Fixed possible error when using the DataLayer with PII as well as Single Sign on. Fixed issue with deleting secondary group using the REST API. Fixed an issue where Censor Block may allow HTML tags to be used in the preview even though they are not stored in the database. Fixed an issue where group promotion may move the member back to the default group if MySQL is temporarily unavailable. Fixed an issue where the results count was always 0 for Hidden Content in the ModCP Fixed an issue where certain saved charts were not showing. Fixed an issue where broken modlog data could break the topic view page. Fixed an issue where it was possible to toggle online status without multi-factor authentication. Fixed an issue where OAuth PKCE values may not persist in some situations. Fixed an issue where some very old topics would not show the "I posted in this" star. Fixed an issue with notifications on comments that did not account for anonymous posting. Fixed an error on the Manage Promoted Items page when an application is disabled. Fixed an issue which happened while warning a member. Fixed an issue where the content widget was showing the tags option for all content types, even if they weren't implementing tags. Fixed an issue where a service worker may not work if your site is not accessible to guests. Fixed an issue where deleted an application wouldn't remove the data from the core_javascript db table. Fixed an issue on the moderators permission page. Fixed an issue where the REST API (with API key) would not return a last activity date for anonymous members. Fixed an issue on Cloud where large Member CSV imports would inadvertently trigger human verification. Removed CommunityHive integration. Removed ability for pending-validation registrations changing their email address to avoid a race condition. Forums Improved performance when rebuilding statistical data for forum topics. Commerce Added a new prune settings for Commerce related member history. Fixed an issue where upgrading subscriptions did not always update the expiration date. Fixed an issue where support request URLs would be sent to IndexNow. Fixed an issue where some support requests were not properly linked to a member account. Fixed an issue where some billing agreements were not properly linked to purchases. Fixed an issue where changing the club owner could fail for paid clubs. Courses Fixed an error that could occur when viewing badges that had been assigned for completing a course. Calendar Fixe dan issue in the upcoming events widget where club events would be shown even if they shouldn't. Pages Fixed an issue with the RSS Feed widget, where the cache expiration time would be overwriten by the custom rss widget cache time. Platform Removed the 'Popular Now' widget, use 'Trending Content' instead. Changes affecting third-party developers and designers Added new _setLastComment() method to nodes. Added new \IPS\Node\DelayedCount trait. Other performance improvements included related to search index and content statistics.
Callum MacGregor Posted October 1 Author Posted October 1 I mean I am glad to see your list of updates....but how are you prioritising bugs? Its a one line fix, I even told you the file to change, and its something that has a direct financial impact on anybody using maxmind in two ways: Anybody paying for maxmind for the last year has been completely wasting their money as the Invision integration is broken Anybody relying on maxmind for fraud prevention will almost certainly have seen an uptick in fraudulent payments, which almost certainly ends up in a chargeback and a fee incurred. To the end user, everything works as expected, maxmind gives no errors and looks like its working as intended, but its only when you dig into it you see the fraud score isn't being used at all. Are you going to be reimbursing customers for this financial loss, considering you have been aware of the bug for a year and have done nothing about it? Maxmind is a core component of Invision, not a third-party addon, and it is STILL BROKEN after almost a year. Afrodude and Joel R 2
Marc Posted October 1 Posted October 1 Software can occasionally have bugs—this is an inherent part of development. There was no dispute that the bug has been present for some time and needs attention. I completely agree, and I have followed up on it for you. In fact, we are hoping that it will be resolved in the next release. However you asked if v4 has been forgotten about, given we are working on v5. This is clearly not the case. Bugs are prioritized based on several factors, including the upcoming release, available resources, the impact on the software, the number of users affected, and more. Unfortunately, there’s no straightforward answer I can give, as it really depends on situation at the time, and the bugs themselves. With regard financial loss. The software is provided "as-is", as per your end user agreement. We has logged a bug report, as per above, and you have also acknowledged there is a bug within that particular area that is causing you issues. Until we state this is rectified, this would still be the case.
Callum MacGregor Posted October 1 Author Posted October 1 Just now, Marc said: Software can occasionally have bugs—this is an inherent part of development. There was no dispute that the bug has been present for some time and needs attention. I completely agree, and I have followed up on it for you. In fact, we are hoping that it will be resolved in the next release. However you asked if v4 has been forgotten about, given we are working on v5. This is clearly not the case. Bugs are prioritized based on several factors, including the upcoming release, available resources, the impact on the software, the number of users affected, and more. Unfortunately, there’s no straightforward answer I can give, as it really depends on situation at the time, and the bugs themselves. With regard financial loss. The software is provided "as-is", as per your end user agreement. We has logged a bug report, as per above, and you have also acknowledged there is a bug within that particular area that is causing you issues. Until we state this is rectified, this would still be the case. Does it require a lot of resources to change one line of code? G17 Media and Afrodude 2
Marc Posted October 1 Posted October 1 Just now, Callum MacGregor said: Does it require a lot of resources to change one line of code? Again, I agree this has perhaps taken longer than it should have to fix, and I have chased this up for you, as per a few messages above there. I'm honestly not sure what else you would like to achieve from this, other than acknowledgement that it has taken a while (is has) and action taken to resolve the issue (we have). If there is something more you would like me to assist you with, please let me know.
Callum MacGregor Posted October 1 Author Posted October 1 No, I guess you can consider this issue dealt with. I'll check back in another year to see if it has been fixed. Steven W., G17 Media and Afrodude 3
Recommended Posts