[Rick Wilson]

Release Notes

General

The default country list has been updated with the current ISO-3166-1 list.
Redesigned the mechanism used to install, remove, and register modules within a store in order to increase error tolerance and prevent stores from being inadvertently broken by removal of a component module.
The SEO "Sitemap" page is now deleted when the Sitemap is disabled.
Duplicate database queries have been eliminated during the checkout process.
Timeout handling when processing large provisioning files has been improved.
Attributes for items added to the shopping basket or displayed on an invoice are now displayed using the sort order configured for the product.
A new page, "NTFD - Not Found" has been added. The software now routes requests for pages, products, or categories that do not exist to this page.
The uninstall process now properly drops all database tables from MySQL installations.
The maximum length allowed for the SEO settings short link custom prefix has been extended from 10 characters to 100.
Modules implementing multiple "primary" features may now be installed or removed from any of the screens on which they appear.
When attempting to remove modules that are used by Store Morph items, a message is displayed listing the items and pages which reference the module. The default configuration prevents removal of these modules. A new store setting, "Allow Modules Used by Store Morph Items to be Uninstalled", may be configured to allow the removal of these modules.
Fixed a bug that would occasionally cause error messages of the form "mysql_stmt_prepare: Table 's01_Products' was not locked with LOCK TABLES" to appear in MySQL installations.
Fixed a bug introduced in core-17 that caused both the primary and secondary address to be "optional" for newly created stores.
The Miva Merchant Look & Feel module can now be updated from the "Edit Module" screen and re-added to the domain if it was inadvertently removed.
Administrative Interface
The country list is now editable from the "Countries" tab of the "Domain Settings" screen.
The existing color selector has been replaced with a new and improved version, which is now also available when editing template code.
New-style numeric sorting controls are now available for Attribute Templates.
Users may no longer change the code of an existing Store Morph item.
The administrative login screen now sets the focus to the Username field on load.
The "Parent Category" field is now properly reset when pressing the "Reset" button on the "Add Category" page.
The "Order ID" and "Order Amount" fields are no longer displayed for Affiliate "Referral" transactions.
If a framework is applied and one or more of the pages it contains do not exist, the pages are now automatically created.
Fixed a bug that caused encrypted order data to be lost when processing orders with an invalid passphrase.
Non-encrypted order data is now properly updated when editing an order containing locked encrypted data.
Fixed encoding of the "Invoice Total" column on the "Order Processing" screen, so currency formats that contain special characters are now properly displayed.
When creating a Store Morph item, the software now verifies that the referenced module implements the "component" feature.
Module reference counts are now properly maintained when changing the module referenced by a Store Morph item.
The "Edit Here" button on the "Products" screen now works properly when the product being edited contains special characters in its code.
Fixed a bug that could cause the user interface to respond slowly when the Miva Merchant update server was unavailable.

Runtime Interface

For new installations, the maintenance mode warning message is now displayed using the correct body font.
The missing product attributes page now correctly routes the shopper to a secure or non-secure URL depending on their original destination.
Fixed a bug that allowed duplicate affiliates with the same login to be created.
For new installations, invalid color references have been removed from the AFAD and AFED pages.
The "Account" button in the navigation bar on the INVC page now directs the user to the LOGN screen, instead of an empty account page.
For new installations, fixed typos in the basket contents template that prevented textarea attribute text from being displayed.
The fatal error displayed when a shopper attempts to modify a basket that has expired now displays a more descriptive error message.
Payment Modules have been modified to properly display the payment method name instead of the internal code on the OPAY screen.
When a shopper's basket expires during the checkout process, the shopper now receives a message stating that their basket is empty, instead of allowing them to complete the checkout process with an empty basket.
Fixed a bug that prevented shoppers from checking out if the store was configured with a single country and an optional secondary address.
The checkout process now properly errors if no payment methods are available, instead of previously checking only if one or more payment modules were configured.
The "Require Shipping" option now prevents checkout if no shipping methods are available, instead of previously checking only if one or more shipping modules were configured.
Changed "Diner's Club" to "Diners Club" for all payment modules supporting this card type.

Setup

Setup now properly deploys all files required for Google Checkout.
The install process now displays a validation error if the target MySQL database already contains a Miva Merchant installation.
PA-DSS (These changes do not affect existing installations unless explicitly configured)
Database passwords in merchdb.dat are now encrypted.
Administrative user passwords are now encrypted using SHA1 with 16 bytes of random data as a salt. Passwords for existing users will be encrypted with the new mechanism when those users change their password. This change also allows passwords longer than 8 characters to be used.
The default Administrative Session Timeout is now 15 minutes.
The default Failed Login Lockout Time is now 30 minutes.
Options have been added to enforce password strength requirements. The default requirements for new installations are that passwords must be 7 characters or longer, contain at least one letter and one number or punctuation character, and not be the same as any of the prior 4 passwords used.
Mandatory password changes may now be enforced on a configurable interval. Users are required to change expired passwords when logging into the administrative interface. The default setting for new installations requires a password change every 90 days.
Privileges
The "Orders" store privilege has been renamed to "Order Processing" to more closely match the user interface elements it affects.
Store Privileges are now displayed sorted by the privilege name on the "Add/Edit Group" screen.
The "Marketing Products" and "Marketing Reports" privileges have been removed.
Fixed a bug that prevented users with only the "Add Additional Users" privilege from being able to navigate to the "Add User" screen.
Fixed numerous minor bugs where elements were displayed that did not function due to privilege settings.
Fixed numerous minor bugs that prevented users with limited privileges from navigating to the area where the privileges are used.
Wizard: Set Up Payment
The signup process for Innovative Gateway has been streamlined.
The wizard now resizes itself to fit the content of the PayPal options page, and the alignment of the content on this page has been improved.
Bolding of "Available Payment Methods" has been made more consistent to indicate whether selection of at least one method is required.
Fixed bugs with numerous payment modules that prevented more than a single payment method from being selected.
Wizard: Set Up Sales Tax
An error message is no longer displayed on the first screen of the wizard if the current sales tax module does not support wizard configuration.
Wizard: Design Your Look
The wizard no longer readds the MIVA logo to the navigation bar.
Fixed a process flow bug that could leave a user on an empty step.

[Rick Wilson]

Module: Checkout by Amazon
and fields are now passed as part of the generated cart XML.
Fixed a bug that caused an error when the same Miva Merchant shipping method was assigned to multiple Amazon shipping service levels.
Removed debugging code that was creating a file called "amazon_test.dat" in the data directory.
Shipping and billing names with middle names, initials, prefixes or suffixes are now split into the Miva Merchant first and last name fields without discarding data.
Module: Payflow Link
The "Password" field was not being used at any point in the module, so it has been removed.
The "User ID" field has been renamed to "Merchant Login" to more closely match PayPal/Verisign's current terminology.
The "Host Code" response field is now only displayed for Telecheck transactions.
Fixed confusing CVV2 vs CSC wording in the payment wizard.
The Miva Merchant order ID is now properly recorded as the invoice number in the Payflow Link control panel.
Module: Payflow Pro
When configuring the module via the "Set Up Payment" wizard, the validation that at least one payment method be selected is now performed after displaying the available payment methods, instead of before. This fixes a bug that prevented completion of the wizard when reconfiguring the module with no payment methods selected.
Module: First Data Global Gateway
Fixed confusing CVV2 vs CSC wording in the payment wizard.
Module: Authorize.Net
Fixed the destination of the account signup link in the payment wizard.
Fixed a misspelling of "acquire" in the payment wizard.
The module now appears in the payment wizard if the (obsolete) Authorize.Net commerce library is not installed.
Module: PayPal Website Payments Pro
Fixed a bug that caused an error message stating "Unable to authorize payment (-1)" when product names contained ampersands.
Removed a spurious "x" that appeared in the wizard-based configuration.
Fixed a bug that caused shopping transactions to fail when there was leading or trailing space in the credit card number or CVV2 value.
Module: Google Checkout
When used in a domain containing multiple stores, orders are now recorded in the correct store.
Fixed a bug that caused shoppers to see "Your order has already been processed" when returning from Google Checkout.
Fixed interaction with the VikingCoders UPS module.
Leftover TAX Basket Charges are now deleted after calculating sales tax during callbacks.
Module: UPS Domestic Shipping Calculator
Rates have been updated to reflect UPS 2009 rates
Next Day Air Early A.M. now calculates correctly (in previous versions it never appeared)
Air shipments out of Alaska now calculate correctly
Ground shipments into Hawaii from the lower-48 now calculate correctly
Support has been added for extended remote residential delivery surcharges, Alaska remote delivery surcharges, and Hawaii remote delivery surcharges.
The rate table selection controls have been modified to more closely mirror the control layout on UPS' online rate calculator.
It is now possible to configure rate calculation for shippers that drop their packages off at a retail location, and do not pay an on-call pickup surcharge.
On-call pickup surcharges are now delivered as part of the rate table download, instead of being built into the module.
The module will now prompt for a re-download of the rate tables whenever an option is changed that invalidates the currently downloaded data.
Module: FedEx(R) Shipping Cost Estimate
Improved handling of data from the FedEx server to prevent a fatal error during checkout if an invalid response is returned.
Module: Generic Currency Formatting
Fixed a bug that prevented a user without the Modify privilege for Sales Tax from updating store settings.
Module: European VAT
Product settings are now properly validated and saved when adding a new product.
Module: Canadian VAT
Orders containing multiple PST-exempt products now calculate PST correctly.
Module: Customer Order Confirmation HTML Email
For new installations, the shipping last name is now included in the default template code.
Fixed a bug that caused an empty screen, with no Next or Previous button, when configuring the module via the "Set Up Fulfillment" wizard.
Module: Email Merchant Notification
A message has been added to the configuration screen displaying the list of allowable separator characters for multiple email addresses.
Module: Import Categories from Flat File
Categories may no longer be imported with blank codes or names.
Module: Import Products from Flat File
When importing custom fields, an invalid product code no longer causes the custom field values to be assigned to random products.
A new option has been added to allow custom field deletion when importing empty values.
Module: buySAFE 2.0
Fixed a bug that caused shoppers to be charged for buySAFE bonding without the bonding being properly recorded at buySAFE.
Module: Microsoft Live Search cashback
This module is now part of the standard distribution.
Fixed a bug that caused an empty validation message to be displayed when configuring an alternate product description.
Provisioning
Default values are now provided for all optional sub-tags.

[chucklasker]

I created two tutorials open to the public about the PR6 update.

Updating Miva Merchant 5.5 to PR 6

A tour of some of the PR 6 changes/enhancements

Enjoy!

[RayYates]

Thanks Miva Merchant for adding this screen and for all your hard work on this update.

Thanks Chuck. You save me and I'm sure many others a lot of time.

One thing about the new (NTFD) Not found screen that will affect PCI Compliance Certification for a lot of stores and Search engines.

If your .htaccess is using short links like this, mysite.com/product_code.html, and the product code is invalid the NTFD page displays as expected but it reports status 200 found in the http header instead of status 404 not found.

This is important because PCI compliance scans will look on your site for files with known vulnerabilities. If it looks for bad_file.html, it will report that the file is on your server when in fact it is not.

Also Search Engines will search for links that don't exist and see the status 200 found in the http header.

Fortunately its easy to fix with PCI Net Toolbelt or toolkit. Add this to the first line of the page.

<mvt:item name="ry_toolbelt" param="assign|g.ok|miva_output_header( 'Status', '404 Not Found' )" />

Miva Merchant should consider adding this command just before calling the NTDF screen.

Thanks Miva Merchant for adding this screen and for all your hard work on this update.

[wcw]

Quote:

Originally Posted by RayYates Fortunately its easy to fix with PCI Net Toolbelt or toolkit. Add this to the first line of the page. <mvt:item name="ry_toolbelt" param="assign|g.ok|miva_output_header( 'Status', '404 Not Found' )" />

If you don't have the PCI Net Toolbelt or Emporium Plus Tool Kit and you do have the current version of the Power Search you can use that module too. I haven't tried it but I assume it would be something like
<mvt:item name="powrsrch" param="headeroutput|Status|404 Not Found" />