| Index: branches/fundraising/deployment/payments_1.17/extensions/DonationInterface/globalcollect_gateway/globalcollect_resultswitcher.body.php |
| — | — | @@ -37,24 +37,46 @@ |
| 38 | 38 | */ |
| 39 | 39 | public function execute( $par ) { |
| 40 | 40 | global $wgRequest, $wgOut, $wgExtensionAssetsPath; |
| 41 | | - |
| | 41 | + |
| 42 | 42 | //no longer letting people in without these things. If this is |
| 43 | 43 | //preventing you from doing something, you almost certainly want to be |
| 44 | 44 | //somewhere else. |
| 45 | 45 | $forbidden = false; |
| 46 | | - if ( !isset($_GET['order_id']) || !$this->adapter->hasDonorDataInSession( 'order_id', $_GET['order_id'] ) ){ |
| 47 | | - wfHttpError( 403, 'Forbidden', wfMsg( 'donate_interface-error-http-403' ) ); |
| | 46 | + $qs_oid = 'undefined'; |
| | 47 | + if ( !isset( $_GET['order_id'] ) ){ |
| 48 | 48 | $forbidden = true; |
| | 49 | + $f_message = 'No order ID in the Querystring.'; |
| | 50 | + } else { |
| | 51 | + $qs_oid = $_GET['order_id']; |
| | 52 | + if ( !$this->adapter->hasDonorDataInSession( 'order_id', $_GET['order_id'] ) ){ |
| | 53 | + $forbidden = true; |
| | 54 | + $f_message = 'Requested order id not present in the session'; |
| | 55 | + } |
| 49 | 56 | } |
| | 57 | + |
| | 58 | + if ( $forbidden ){ |
| | 59 | + wfHttpError( 403, 'Forbidden', wfMsg( 'donate_interface-error-http-403' ) ); |
| | 60 | + } |
| 50 | 61 | |
| 51 | 62 | $referrer = $wgRequest->getHeader( 'referer' ); |
| | 63 | + $liberated = false; |
| | 64 | + if ( array_key_exists( 'order_status', $_SESSION ) && array_key_exists( $qs_oid, $_SESSION['order_status'] ) ){ |
| | 65 | + $liberated = true; |
| | 66 | + } |
| 52 | 67 | |
| 53 | 68 | global $wgServer; |
| 54 | 69 | //TODO: Whitelist! We only want to do this for servers we are configured to like! |
| 55 | 70 | //I didn't do this already, because this may turn out to be backwards anyway. It might be good to do the work in the iframe, |
| 56 | 71 | //and then pop out. Maybe. We're probably going to have to test it a couple different ways, for user experience. |
| 57 | 72 | //However, we're _definitely_ going to need to pop out _before_ we redirect to the thank you or fail pages. |
| 58 | | - if ( strpos( $referrer, $wgServer ) === false ) { |
| | 73 | + if ( ( strpos( $referrer, $wgServer ) === false ) && !$liberated ) { |
| | 74 | + $_SESSION['order_status'][$qs_oid] = 'liberated'; |
| | 75 | + $this->adapter->log("Resultswitcher: Popping out of iframe for Order ID " . $qs_oid); |
| | 76 | + //TODO: Move the $forbidden check back to the beginning of this if block, once we know this doesn't happen a lot. |
| | 77 | + //TODO: If we get a lot of these messages, we need to redirect to something more friendly than FORBIDDEN, RAR RAR RAR. |
| | 78 | + if ( $forbidden ) { |
| | 79 | + $this->adapter->log("Resultswitcher: " . $qs_oid . "SHOULD BE FORBIDDEN. Reason: $f_message"); |
| | 80 | + } |
| 59 | 81 | $wgOut->allowClickjacking(); |
| 60 | 82 | $wgOut->addModules( 'iframe.liberator' ); |
| 61 | 83 | return; |
| — | — | @@ -67,23 +89,12 @@ |
| 68 | 90 | $this->setHeaders(); |
| 69 | 91 | |
| 70 | 92 | if ( $forbidden ){ |
| 71 | | - $qs_oid = 'undefined'; |
| 72 | | - $message = ''; |
| 73 | | - if ( !isset($_GET['order_id']) ){ |
| 74 | | - $message = 'No order ID in the Querystring.'; |
| 75 | | - } else { |
| 76 | | - $qs_oid = $_GET['order_id']; |
| 77 | | - } |
| 78 | | - |
| 79 | | - if ( !$this->adapter->hasDonorDataInSession( 'order_id', $_GET['order_id'] ) ){ |
| 80 | | - $message = 'Requested order id not present in the session'; |
| 81 | | - } |
| 82 | | - |
| 83 | | - $this->adapter->log("Resultswitcher: Request forbidden. " . $message . " Quersytring Oirder ID: $qs_oid"); |
| | 93 | + $this->adapter->log( "Resultswitcher: Request forbidden. " . $f_message . " Querystring Order ID: $qs_oid Adapter Order ID: " . $this->adapter->getData_Raw( 'order_id' ) ); |
| 84 | 94 | return; |
| | 95 | + } else { |
| | 96 | + $this->adapter->log( "Resultswitcher: OK to process Order ID: " . $qs_oid ); |
| 85 | 97 | } |
| 86 | 98 | |
| 87 | | - |
| 88 | 99 | // dispatch forms/handling |
| 89 | 100 | if ( $this->adapter->checkTokens() ) { |
| 90 | 101 | // Display form for the first time |
| — | — | @@ -91,7 +102,7 @@ |
| 92 | 103 | |
| 93 | 104 | //this next block is for credit card coming back from GC. Only that. Nothing else, ever. |
| 94 | 105 | if ( $this->adapter->getData_Raw( 'payment_method') === 'cc' ) { |
| 95 | | - if ( !array_key_exists( 'order_status', $_SESSION ) || !array_key_exists( $oid, $_SESSION['order_status'] ) ) { |
| | 106 | + if ( !array_key_exists( 'order_status', $_SESSION ) || !array_key_exists( $oid, $_SESSION['order_status'] ) || !is_array( $_SESSION['order_status'][$oid] ) ) { |
| 96 | 107 | $_SESSION['order_status'][$oid] = $this->adapter->do_transaction( 'Confirm_CreditCard' ); |
| 97 | 108 | $_SESSION['order_status'][$oid]['data']['count'] = 0; |
| 98 | 109 | } else { |
| Property changes on: branches/fundraising/deployment/payments_1.17/extensions/DonationInterface/globalcollect_gateway/globalcollect_resultswitcher.body.php |
| ___________________________________________________________________ |
| Modified: svn:mergeinfo |
| 99 | 110 | Merged /trunk/extensions/DonationInterface/globalcollect_gateway/globalcollect_resultswitcher.body.php:r104932,105032 |