[0007914]: Fix Pay upon Invoice (PUI) . Added gatewaypayment flag to PayPalDefinitions and isGatewayPayment() method so PUI correctly falls through to OXID's core PaymentGateway.

Author: mariolorenz

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ### FIX
 
+- [0007914](https://bugs.oxid-esales.com/view.php?id=7914): Fix Pay upon Invoice (PUI) broken after 3.7.1 security patch. The `executePayment()` reject guard blocked PUI because it matched `isPayPalPayment()` but was not handled by any prior flow (not a button/proxy/UAPM/checkout payment). Added `gatewaypayment` flag to `PayPalDefinitions` and `isGatewayPayment()` method so PUI correctly falls through to OXID's core `PaymentGateway`.
 - [0007915](https://bugs.oxid-esales.com/view.php?id=7915): Fix fatal error "Call to a member function getId() on null" on product detail page when an out-of-stock variant is in the basket. `hasProductVariantInBasket()` delegated to `Basket::getArtStockInBasket()` which calls `getArticle(true)` (buyable-check). For out-of-stock variants this returns null. Replaced with direct basket iteration using `getArticle(false)` to skip the buyable check.
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix orphaned oscpaypal_order rows with OSCPAYPALSTATUS=COMPLETED and empty OXORDERID. When `sess_challenge` was cleared before `captureOrder()` completed (e.g. by a concurrent cancel request), the capture flow proceeded and created tracking records that could not be matched by webhook processing. Added defense-in-depth validation at four levels: `AjaxPaymentController::captureOrder()` now aborts if the shop order cannot be resolved, `PayPalOrderCompletedSubscriber` rejects events with empty shopOrderId, `Payment::trackPayPalOrder()` throws on empty shopOrderId, and `OrderRepository::paypalOrderByOrderIdAndPayPalId()` refuses to create new records with empty shopOrderId.
 

src/Core/PayPalDefinitions.php

@@ -198,6 +198,7 @@ final class PayPalDefinitions
             'onlybrutto' => false,
             'buttonpayment' => false,
             'proxycontroller' => false,
+            'gatewaypayment' => true,
             'defaulton' => true,
             'paymentsource' => self::PAYMENT_SOURCE_PUI
         ],
@@ -526,6 +527,13 @@ public static function isUAPMPayment(string $oxid): bool
         return (isset(self::PAYPAL_DEFINTIONS[$oxid]['isuapm']));
     }
 
+    public static function isGatewayPayment(string $oxid): bool
+    {
+        return (isset(self::PAYPAL_DEFINTIONS[$oxid])) ?
+            !empty(self::PAYPAL_DEFINTIONS[$oxid]['gatewaypayment']) :
+            false;
+    }
+
     public static function isButtonPayment(string $oxid): bool
     {
         return (isset(self::PAYPAL_DEFINTIONS[$oxid])) ?

src/Model/Order.php

@@ -476,6 +476,12 @@ protected function executePayment(Basket $basket, $userpayment)
             return true;
         }
 
+        // Gateway payments (e.g. PUI) are processed by OXID's core PaymentGateway,
+        // so they must fall through to parent::executePayment().
+        if (PayPalDefinitions::isGatewayPayment($sessionPaymentId)) {
+            return parent::executePayment($basket, $userpayment);
+        }
+
         // Reject any PayPal payment that was not handled by the flows above
         if (PayPalDefinitions::isPayPalPayment($sessionPaymentId)) {
             return self::ORDER_STATE_PAYMENTERROR;