SAAS-973: Airtime Billing page - Add support for August promotion plans

Made WHMCS Airtime group id a constant Check for CSRF token on promo eligibilty ajax check
2015-07-30 13:27:32 -04:00 · 2015-07-30 13:27:32 -04:00 · b2fbb27801
parent bccba2f9d5
commit b2fbb27801
4 changed files with 27 additions and 9 deletions
--- a/airtime_mvc/application/common/Billing.php
+++ b/airtime_mvc/application/common/Billing.php
@ -1,6 +1,7 @@
 <?php

 define("AIRTIME_PRO_FREE_TRIAL_PLAN_ID", 34);
+define("WHMCS_AIRTIME_GROUP_ID", 15);

 class Billing
 {
@ -46,7 +47,7 @@ class Billing
        $postfields["action"] = "getproducts";
        $postfields["responsetype"] = "json";
        //gid is the Airtime product group id on whmcs
-        $postfields["gid"] = "15";
+        $postfields["gid"] = WHMCS_AIRTIME_GROUP_ID;

        $query_string = "";
        foreach ($postfields AS $k=>$v) $query_string .= "$k=".urlencode($v)."&";
@ -356,7 +357,7 @@ class Billing
        $postfields["action"] = "getproducts";
        $postfields["responsetype"] = "json";
        //gid is the Airtime product group id on whmcs
-        $postfields["gid"] = "15";
+        $postfields["gid"] = WHMCS_AIRTIME_GROUP_ID;

        $query_string = "";
        foreach ($postfields AS $k=>$v) $query_string .= "$k=".urlencode($v)."&";
--- a/airtime_mvc/application/controllers/BillingController.php
+++ b/airtime_mvc/application/controllers/BillingController.php
@ -31,11 +31,20 @@ class BillingController extends Zend_Controller_Action {
        }
        $data = $request->getPost();

-        $eligible = Billing::isClientEligibleForPromo(
-            $data["newproductid"], $data["newproductbillingcycle"]);
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $this->_getParam('csrf_token');
+        $expected_csrf_token = $current_namespace->authtoken;

-        //Set the return JSON value
-        $this->_helper->json(array("result"=>$eligible));
+        if($observed_csrf_token == $expected_csrf_token) {
+            $eligible = Billing::isClientEligibleForPromo(
+                $data["newproductid"], $data["newproductbillingcycle"]);
+
+            //Set the return JSON value
+            $this->_helper->json(array("result"=>$eligible));
+        } else {
+            $this->getResponse()->setHttpResponseCode(403);
+            $this->_helper->json(array("result"=>false, "error"=>"CSRF token did not match."));
+        }
    }

    public function upgradeAction()
@ -47,6 +56,7 @@ class BillingController extends Zend_Controller_Action {
        
        $request = $this->getRequest();
        $form = new Application_Form_BillingUpgradeDowngrade();
+
        if ($request->isPost()) {
                        
            $formData = $request->getPost();
@ -80,8 +90,8 @@ class BillingController extends Zend_Controller_Action {
                //and it freaks out and does the wrong thing if we do it via the API
                //so we have to do avoid that.
                if (($currentPlanProductId == $formData["newproductid"]) &&
-                    ($currentPlanProductBillingCycle == $formData["newproductbillingcycle"]))
-                {
+                    ($currentPlanProductBillingCycle == $formData["newproductbillingcycle"])
+                ) {
                    $placeAnUpgradeOrder = false;
                }

--- a/airtime_mvc/application/forms/BillingUpgradeDowngrade.php
+++ b/airtime_mvc/application/forms/BillingUpgradeDowngrade.php
@ -3,6 +3,11 @@ class Application_Form_BillingUpgradeDowngrade extends Zend_Form
 {
    public function init()
    {
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_element = new Zend_Form_Element_Hidden('csrf');
+        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
+        $this->addElement($csrf_element);
+
        $productPrices = array();
        $productTypes = array();       
        list($productPrices, $productTypes) = Billing::getProductPricesAndTypes();
--- a/airtime_mvc/application/views/scripts/billing/upgrade.phtml
+++ b/airtime_mvc/application/views/scripts/billing/upgrade.phtml
@ -134,7 +134,7 @@ function promoEligibilityCheck()
    var newproductbillingcycle = $("input[type='radio'][name='newproductbillingcycle']:checked").val();

    $.post("/billing/promo-eligibility-check", {"newproductid": newproductid,
-        "newproductbillingcycle": newproductbillingcycle})
+        "newproductbillingcycle": newproductbillingcycle, "csrf_token": $("#csrf").attr('value')})
        .success(function(data) {
            if (data.result == true) {
                $("#promo-plan-eligible").show();
@ -306,6 +306,8 @@ echo($currentProduct["name"]);
 <h3>Choose a plan:</h3>
 <form id="<?php echo $form->getId(); ?>" method="<?php echo $form->getMethod() ?>" action="<?php echo
    $form->getAction()?>" enctype="<?php echo $form->getEncType();?>">
+
+     <?php echo $form->csrf ?>
    
    <div id="plantype">
        <?php echo $form->newproductid ?>