Page MenuHomePhabricator

Donation interval is not validated
Closed, ResolvedPublic5 Estimated Story PointsBUG REPORT

Description

Steps to Reproduce:

  • Put on your black hat Macro tiger-wearing-a-sombrero:
  • Go to the donation page, open the dev tools and change the value of an unselected interval radio button to "24"
  • Select the changed interval
  • continue with your donation until you see the confirmation page

Actual Results:
The numeric interval value shows up and is stored in the database

Expected Results:
When submitting the form (at least for the cat17 and laika skins), the form should show an error.

Notes:
This ticket could be used to make intervals first-class citizens of the Donation and Membership domains (two different, but similar-looking implementations because memberships can't be one-time). The available intervals should be passed on to the presenters to keep the code DRY.
To display the errors, the amount should be validated both on the server side and on the client side.
We need the server-side validation to prevent bad values being written in the database by an attacker who bypasses the client side code and submits donation data with HTTP requests.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
kai.nissen set the point value for this task to 5.May 22 2019, 12:30 PM
gabriel-wmde claimed this task.

Resolved during Payment Refactoring. payment intervals are now PHP Enums, trying to create an an invalid interval will fail