Index: trunk/extensions/DonationInterface/globalcollect_gateway/globalcollect_resultswitcher.body.php |
— | — | @@ -38,6 +38,14 @@ |
39 | 39 | public function execute( $par ) { |
40 | 40 | global $wgRequest, $wgOut, $wgExtensionAssetsPath; |
41 | 41 | |
| 42 | + //no longer letting people in without these things. If this is |
| 43 | + //preventing you from doing something, you almost certainly want to be |
| 44 | + //somewhere else. |
| 45 | + if ( !isset($_GET['order_id']) || !$this->adapter->hasDonorDataInSession( 'order_id', $_GET['order_id'] ) ){ |
| 46 | + //TODO: i18n, apparently. |
| 47 | + wfHttpError( 403, 'Forbidden', 'You do not have permission to access this page.' ); |
| 48 | + } |
| 49 | + |
42 | 50 | $referrer = $wgRequest->getHeader( 'referer' ); |
43 | 51 | |
44 | 52 | global $wgServer; |
— | — | @@ -45,11 +53,14 @@ |
46 | 54 | //I didn't do this already, because this may turn out to be backwards anyway. It might be good to do the work in the iframe, |
47 | 55 | //and then pop out. Maybe. We're probably going to have to test it a couple different ways, for user experience. |
48 | 56 | //However, we're _definitely_ going to need to pop out _before_ we redirect to the thank you or fail pages. |
49 | | - if ( strpos( $referrer, $wgServer ) === false ) { |
| 57 | + if ( strpos( $referrer, $wgServer ) === false ) { |
50 | 58 | $wgOut->allowClickjacking(); |
51 | 59 | $wgOut->addModules( 'iframe.liberator' ); |
52 | 60 | return; |
53 | 61 | } |
| 62 | + |
| 63 | + |
| 64 | + |
54 | 65 | |
55 | 66 | $wgOut->addExtensionStyle( |
56 | 67 | $wgExtensionAssetsPath . '/DonationInterface/gateway_forms/css/gateway.css?284' . |
— | — | @@ -62,10 +73,9 @@ |
63 | 74 | if ( $this->adapter->checkTokens() ) { |
64 | 75 | // Display form for the first time |
65 | 76 | $oid = $wgRequest->getText( 'order_id' ); |
66 | | - $adapter_oid = $this->adapter->getData_Raw( 'order_id' ); |
67 | 77 | |
68 | 78 | //this next block is for credit card coming back from GC. Only that. Nothing else, ever. |
69 | | - if ( $this->adapter->getData_Raw( 'payment_method') === 'cc' && $oid && !empty( $oid ) && $oid === $adapter_oid ) { |
| 79 | + if ( $this->adapter->getData_Raw( 'payment_method') === 'cc' && $this->adapter->hasDonorDataInSession( 'order_id', $_GET['order_id'] ) ) { |
70 | 80 | if ( !array_key_exists( 'order_status', $_SESSION ) || !array_key_exists( $oid, $_SESSION['order_status'] ) ) { |
71 | 81 | $_SESSION['order_status'][$oid] = $this->adapter->do_transaction( 'Confirm_CreditCard' ); |
72 | 82 | $_SESSION['order_status'][$oid]['data']['count'] = 0; |
— | — | @@ -93,7 +103,7 @@ |
94 | 104 | $wgOut->redirect( $go ); |
95 | 105 | } //TODO: There really should be an else here. |
96 | 106 | } |
97 | | - } |
| 107 | + } |
98 | 108 | } else { |
99 | 109 | if ( !$this->adapter->isCaching() ) { |
100 | 110 | // if we're not caching, there's a token mismatch |
Index: trunk/extensions/DonationInterface/gateway_common/gateway.adapter.php |
— | — | @@ -289,7 +289,6 @@ |
290 | 290 | $url = $url . "/$language"; |
291 | 291 | } |
292 | 292 | |
293 | | - error_log("Position: " . strpos( $url, 'http' )); |
294 | 293 | if ( strpos( $url, 'http' ) === 0) { |
295 | 294 | return $url; |
296 | 295 | } else { //this isn't a url yet. |
— | — | @@ -1920,5 +1919,24 @@ |
1921 | 1920 | } |
1922 | 1921 | return $this->action; |
1923 | 1922 | } |
| 1923 | + |
| 1924 | + /** |
| 1925 | + * Checks to see if we have donor data in our session. |
| 1926 | + * This can be useful for determining if a user should be at a certain point |
| 1927 | + * in the workflow for certain gateways. For example: This is used on the |
| 1928 | + * outside of the adapter in GlobalCollect's resultswitcher page, to |
| 1929 | + * determine if the user is actually in the process of making a credit card |
| 1930 | + * transaction. |
| 1931 | + * @param string $key Optional: A particular key to check against the |
| 1932 | + * donor data in session. |
| 1933 | + * @param string $value Optional (unless $key is set): A value that the $key |
| 1934 | + * should contain, in the donor session. |
| 1935 | + * @return boolean true if the session contains donor data (and if the data |
| 1936 | + * key matches, when key and value are set), and false if there is no donor |
| 1937 | + * data (or if the key and value do not match) |
| 1938 | + */ |
| 1939 | + public function hasDonorDataInSession( $key = false, $value= '' ){ |
| 1940 | + return $this->dataObj->hasDonorDataInSession( $key, $value ); |
| 1941 | + } |
1924 | 1942 | |
1925 | 1943 | } |
\ No newline at end of file |
Index: trunk/extensions/DonationInterface/gateway_common/DonationData.php |
— | — | @@ -864,6 +864,7 @@ |
865 | 865 | public function addDonorDataToSession() { |
866 | 866 | self::ensureSession(); |
867 | 867 | $donordata = $this->getStompMessageFields(); |
| 868 | + $donordata[] = 'order_id'; |
868 | 869 | |
869 | 870 | foreach ( $donordata as $item ) { |
870 | 871 | if ( $this->isSomething( $item ) ) { |
— | — | @@ -871,6 +872,38 @@ |
872 | 873 | } |
873 | 874 | } |
874 | 875 | } |
| 876 | + |
| 877 | + /** |
| 878 | + * Checks to see if we have donor data in our session. |
| 879 | + * This can be useful for determining if a user should be at a certain point |
| 880 | + * in the workflow for certain gateways. For example: This is used on the |
| 881 | + * outside of the adapter in GlobalCollect's resultswitcher page, to |
| 882 | + * determine if the user is actually in the process of making a credit card |
| 883 | + * transaction. |
| 884 | + * @param string $key Optional: A particular key to check against the |
| 885 | + * donor data in session. |
| 886 | + * @param string $value Optional (unless $key is set): A value that the $key |
| 887 | + * should contain, in the donor session. |
| 888 | + * @return boolean true if the session contains donor data (and if the data |
| 889 | + * key matches, when key and value are set), and false if there is no donor |
| 890 | + * data (or if the key and value do not match) |
| 891 | + */ |
| 892 | + public function hasDonorDataInSession( $key = false, $value= '' ) { |
| 893 | + if ( self::sessionExists() && array_key_exists( 'Donor', $_SESSION ) ) { |
| 894 | + if ( $key == false ){ |
| 895 | + return true; |
| 896 | + } |
| 897 | + if ( array_key_exists($key, $_SESSION['Donor'] ) && $_SESSION['Donor'][$key] === $value ){ |
| 898 | + return true; |
| 899 | + } else { |
| 900 | + return false; |
| 901 | + } |
| 902 | + |
| 903 | + |
| 904 | + } else { |
| 905 | + return false; |
| 906 | + } |
| 907 | + } |
875 | 908 | |
876 | 909 | /** |
877 | 910 | * Unsets the session data, in the case that we've saved it for gateways |