The purpose of the french financial law n° 2017-1837 is to combat VAT fraud. Since January 1, 2018, it obliges French ecommerce websites to use an extension that meets the requirements of inalterability, security, preservation and archiving of data for control of the french tax administration.
Just a hotfix update.
Here is the complete list of fixes:
- PayPal: Check IPN provider IP extra config parameter for standard and hosted (disabled by default now)
- Important fix for vmcrypt preventing creation of keys, if there is already an existing one.
- important fix for the date, the call was accidently using "null" as timezone parameter, which returns the server time. Added parameter and replaced the null against a default "false", which uses then the joomla configuration for the Timezone.
- category browse view, added "alreadyLoadedIds" to group product for the feature "omitt already loaded"
Unfortunately, we were a bit too fast with our security release, having found an error in the testing phase we created another small bug while we were fixing it.
VirtueMart usually sets the default Joomla frontend language as the shop language, it is this function that had an issue. Some multi-lingual shops failed to load products when the shop language was not explicitly set, or not by default in english.
We have tested this new fix and we do not see any bugs.
Finally, we dropped our dependency on SimplePie for RSS feeds and now use the JFeedFactory of Joomla to display the news and product feed on the dashboard.
Here is the complete list of fixes:
- Fixes for search options and display of search results
- Search plugin, added SKU (by Franz-Peter Scherer)
- Shop language is correctly set by Joomla default front end language
- Fixed another problem with the order language
- While loop finding a product alias got increased to 40 (was 20) to prevent errors when child products did not find a proper alias
- Fixed broken new Coupon
- Fixed broken displayLogos function (was missing a DS)
- Fixed version.php revision number
- Fixed lost sorting of product list if a product was stored
- Uncategorized products are listed again in the admin product list
- The fixed thumbnail size in the product list is now set to 90px
- Added layout of customfield to customfields list
- vmLoaderPluginUpdate. Removed buggy isClient() against isAdmin(). So vm3.2.8 should be Joomla 2.5 compatible again
- Browsing for products of a manufacturer now activates the subordinated settings analogous to categories
- Removed links in Order print view (destroyed layouts without correct css)
- Removed ShipTo address in invoice, if the address is the same as BillTo
- Changed RSS feed, dropping simplepie and using jfeedFactory instead, see http://forum.virtuemart.net/index.php?topic=138918.msg487976#msg487976
- fancybox/jquery.fancybox-1.3.4.pack.js got updated. Removed a little bug. See https://forum.virtuemart.de/installation-updates-einrichtung-156/fancybox-fehlerverhalten-loesung-3146/
- Fix for the router when the URL of the product uses the language fallback
- Fix XPF currency
- Paybox: fix min_amount, countries and check server availability new parameter
A minor XSS vulnerability was present in versions prior to 3.2.6. It occurred when the features feeds and search were used together. It happened only for feed enabled, so administrators can also close the leak in earlier versions by disabling the feed functions. The URL creation of the feed function used an improper call for JRoute. So urlencoded js was executed. The problem is fixed now by using our getCurrentUrlBy function, which works with a whitelist for variable names and it urlencodes any value.
Changes in VirtueMart version 3.2.6
The plugin vmLoaderPluginUpdate now redirects from the normal Joomla registration to the VirtueMart registration. The reason is that the Joomla registration is always missing the address and other VirtueMart related information. So it should not be used. The plugin provides a parameter to disable it. The normal customfields of type S or M can now use the price modifier as percentage. The shipment plugin now also works with multiple countries. The media manager has a new important function, we can now delete a media physically (not just the entry) and the thumbs are also automatically deleted. Some extra security checks were added. Version 3.2.6 is not joomla 2.5 compatible anylonger.
- Important patch to prevent memory leak when switching languages.
- usermodel, extra check if the already loaded user has the right id.
- Renamed order_done layout to orderdone to be able to create a menu item.
- New feature customfield of type S and M have now a new parameter, which enables the added price as percentage.
- Added redirect per system plugin "vmLoaderPluginUpdate" for register and login.
- Shipment plugin shows now also multiple countries.
- vmJsApi, fix for correct language of the datepicker.
- mediahandler has now a deleteAllThumbs of a certain image function (works with regex, may delete accidently too much thumbs which is quite likely unimportant.
- Vendor model getVendorAddressFields does not work with internal id anylonger.
- BE category list keeps selected category.
- Very important fix for multivariants, which lost in some conditions the parent option, when changing to a child.
- Language dependent caching.
- install.sql, removed NULLs for product group booleans, like featured, discontinued, ...
- More security for function getMyOrderDetails.
- Enhanced search plugin.
- Removed double // in function displayLogos in vmpsplugin.php. When the shipment/payment logo dissapeared in checkout, please read http://forum.virtuemart.net/index.php?topic=138927.0
- Function changeShopper, address is not pre-filled with userdata of the switching user (in case the address is not provided).
- Fixed frontend manager link permission in user accountmaintenance.
You can find the full list of changes here: http://forum.virtuemart.net/index.php?topic=138912.0
Changes on the VirtueMart Website
A task force led by Stefan Schumacher finally updated our virtuemart.net site to joomla 3.8. Lately a lot of people also noticed the trouble with our SSL certificate, issued by StartCom. Initially, Google had announced to revoke trust for certificates issued by StartCom after October 21, 2016. Our expensive wildcard certificate was issued before that date, so there was no need for action. Unfortunately Google actually phased out trust also for all older WoSign and StartCom certificates with the release of Chrome 61. If you want to read more details about this, have a look at
So we decided to use Let'sEncrypt instead, which runs maintenance free only with Certbot installed. This led to the problem that we had to update our main server completely. For this, we received fantastic help by Sören Eberhardt-Biermann, the founder of VirtueMart. All systems are finally updated and running with the latest versions. This means for dev.virtuemart.net that we now operate with the latest redmine version and that our SVN server got updated, too. The mail server system has also been updated, because the old system sometimes had hiccups. Last but not least we also updated to php7.
The new version comes with a slightly improved PayPal plugin and a new PayPal product named "PayPal Credit". It allows to finance a purchase with PayPal's partner Comenity Capital Bank.
Furthermore Amazon Pay is now ready for productive use. It makes the cart more efficient by using the same login as for amazon.com which autofills the customer's address into the VirtueMart BillTo and ShipTo address forms.
The whole 'Tools' section got cleaned up and a more logical layout. We added a new wizard for setting the safepath, which sets a secure safepath with one click. The old function to change the storeowner got enhanced and now works reliable even when the vmuser entry is missing.
The revenue report now works correctly to the second. There is also a new hidden config to set the mode for the week.
The new joomla core 3.7.4 creates the plugin object while updating, so updating a VirtueMart plugin ends in a fatal error because the VM plugins need the loaded VirtueMart environment. Therefore we added a small system plugin, which ensures that the vm environment is loaded.
New triggers increase the flexibility of VirtueMart. The triggers plgVmBeforeStoreProduct and plgVmAfterStoreProduct in the product model allows automatically set product properties. The triggers plgVmOnUpdateCart (in cart controller) and plgVmOnAddToCart (in cart helper function add) give programmers more control when a user is adding an item to the cart.
Opening the order details now works also with ajax. Ajax for the category browse view currently is too complex considering backward compatibility, but it is of course planned for the future. The new productdetails layout now uses the thumbnail function to display the main image. This sounds a bit strange at first, but at the end it makes the automatic resizing feature also available for the main images. Layout overriders can now also change the used layout for the order list and order detail views per hidden config.
To read the complete change list http://forum.virtuemart.net/index.php?topic=137816.0