From b2fbb27801c1c1cfff61cbae57a82203bcdabfe5 Mon Sep 17 00:00:00 2001
From: drigato <denise.rigato@sourcefabric.org>
Date: Thu, 30 Jul 2015 13:27:32 -0400
Subject: [PATCH] SAAS-973: Airtime Billing page - Add support for August
 promotion plans

Made WHMCS Airtime group id a constant
Check for CSRF token on promo eligibilty ajax check
---
 airtime_mvc/application/common/Billing.php    |  5 +++--
 .../controllers/BillingController.php         | 22 ++++++++++++++-----
 .../forms/BillingUpgradeDowngrade.php         |  5 +++++
 .../views/scripts/billing/upgrade.phtml       |  4 +++-
 4 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/airtime_mvc/application/common/Billing.php b/airtime_mvc/application/common/Billing.php
index eaddf254e..30be5ff3b 100644
--- a/airtime_mvc/application/common/Billing.php
+++ b/airtime_mvc/application/common/Billing.php
@@ -1,6 +1,7 @@
 <?php
 
 define("AIRTIME_PRO_FREE_TRIAL_PLAN_ID", 34);
+define("WHMCS_AIRTIME_GROUP_ID", 15);
 
 class Billing
 {
@@ -46,7 +47,7 @@ class Billing
         $postfields["action"] = "getproducts";
         $postfields["responsetype"] = "json";
         //gid is the Airtime product group id on whmcs
-        $postfields["gid"] = "15";
+        $postfields["gid"] = WHMCS_AIRTIME_GROUP_ID;
 
         $query_string = "";
         foreach ($postfields AS $k=>$v) $query_string .= "$k=".urlencode($v)."&";
@@ -356,7 +357,7 @@ class Billing
         $postfields["action"] = "getproducts";
         $postfields["responsetype"] = "json";
         //gid is the Airtime product group id on whmcs
-        $postfields["gid"] = "15";
+        $postfields["gid"] = WHMCS_AIRTIME_GROUP_ID;
 
         $query_string = "";
         foreach ($postfields AS $k=>$v) $query_string .= "$k=".urlencode($v)."&";
diff --git a/airtime_mvc/application/controllers/BillingController.php b/airtime_mvc/application/controllers/BillingController.php
index dee22bfcd..b8d2b8d1a 100644
--- a/airtime_mvc/application/controllers/BillingController.php
+++ b/airtime_mvc/application/controllers/BillingController.php
@@ -31,11 +31,20 @@ class BillingController extends Zend_Controller_Action {
         }
         $data = $request->getPost();
 
-        $eligible = Billing::isClientEligibleForPromo(
-            $data["newproductid"], $data["newproductbillingcycle"]);
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $this->_getParam('csrf_token');
+        $expected_csrf_token = $current_namespace->authtoken;
 
-        //Set the return JSON value
-        $this->_helper->json(array("result"=>$eligible));
+        if($observed_csrf_token == $expected_csrf_token) {
+            $eligible = Billing::isClientEligibleForPromo(
+                $data["newproductid"], $data["newproductbillingcycle"]);
+
+            //Set the return JSON value
+            $this->_helper->json(array("result"=>$eligible));
+        } else {
+            $this->getResponse()->setHttpResponseCode(403);
+            $this->_helper->json(array("result"=>false, "error"=>"CSRF token did not match."));
+        }
     }
 
     public function upgradeAction()
@@ -47,6 +56,7 @@ class BillingController extends Zend_Controller_Action {
         
         $request = $this->getRequest();
         $form = new Application_Form_BillingUpgradeDowngrade();
+
         if ($request->isPost()) {
                         
             $formData = $request->getPost();
@@ -80,8 +90,8 @@ class BillingController extends Zend_Controller_Action {
                 //and it freaks out and does the wrong thing if we do it via the API
                 //so we have to do avoid that.
                 if (($currentPlanProductId == $formData["newproductid"]) &&
-                    ($currentPlanProductBillingCycle == $formData["newproductbillingcycle"]))
-                {
+                    ($currentPlanProductBillingCycle == $formData["newproductbillingcycle"])
+                ) {
                     $placeAnUpgradeOrder = false;
                 }
 
diff --git a/airtime_mvc/application/forms/BillingUpgradeDowngrade.php b/airtime_mvc/application/forms/BillingUpgradeDowngrade.php
index 6726c5da8..ecf9b4f50 100644
--- a/airtime_mvc/application/forms/BillingUpgradeDowngrade.php
+++ b/airtime_mvc/application/forms/BillingUpgradeDowngrade.php
@@ -3,6 +3,11 @@ class Application_Form_BillingUpgradeDowngrade extends Zend_Form
 {
     public function init()
     {
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_element = new Zend_Form_Element_Hidden('csrf');
+        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
+        $this->addElement($csrf_element);
+
         $productPrices = array();
         $productTypes = array();       
         list($productPrices, $productTypes) = Billing::getProductPricesAndTypes();
diff --git a/airtime_mvc/application/views/scripts/billing/upgrade.phtml b/airtime_mvc/application/views/scripts/billing/upgrade.phtml
index bd7dccfb7..d956ed363 100644
--- a/airtime_mvc/application/views/scripts/billing/upgrade.phtml
+++ b/airtime_mvc/application/views/scripts/billing/upgrade.phtml
@@ -134,7 +134,7 @@ function promoEligibilityCheck()
     var newproductbillingcycle = $("input[type='radio'][name='newproductbillingcycle']:checked").val();
 
     $.post("/billing/promo-eligibility-check", {"newproductid": newproductid,
-        "newproductbillingcycle": newproductbillingcycle})
+        "newproductbillingcycle": newproductbillingcycle, "csrf_token": $("#csrf").attr('value')})
         .success(function(data) {
             if (data.result == true) {
                 $("#promo-plan-eligible").show();
@@ -306,6 +306,8 @@ echo($currentProduct["name"]);
 <h3>Choose a plan:</h3>
  <form id="<?php echo $form->getId(); ?>" method="<?php echo $form->getMethod() ?>" action="<?php echo
     $form->getAction()?>" enctype="<?php echo $form->getEncType();?>">
+
+     <?php echo $form->csrf ?>
     
     <div id="plantype">
         <?php echo $form->newproductid ?>