From d145dc5742dbba356c12f871b584c24e13321c74 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 24 Jan 2020 18:36:55 +0100 Subject: [PATCH] lingo: remove ':' character from return url (#39256) --- combo/apps/lingo/views.py | 24 +++++++++++++++++------- tests/test_lingo_payment.py | 24 ++++++++++++------------ 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/combo/apps/lingo/views.py b/combo/apps/lingo/views.py index 973c4a37..ab976e0d 100644 --- a/combo/apps/lingo/views.py +++ b/combo/apps/lingo/views.py @@ -49,6 +49,16 @@ from .models import (Regie, BasketItem, Transaction, TransactionOperation, LingoBasketCell, SelfDeclaredInvoicePayment, PaymentBackend, EXPIRED) +def signing_dumps(content): + serialization = signing.dumps(content) + return serialization.replace(':', '.') + + +def signing_loads(serialization): + serialization = serialization.replace('.', ':') + return signing.loads(serialization) + + def get_eopayment_object(request, regie_or_payment_backend, transaction_id=None): payment_backend = regie_or_payment_backend if isinstance(regie_or_payment_backend, Regie): @@ -210,7 +220,7 @@ class AddBasketItemApiView(View): payment_url = reverse( 'basket-item-pay-view', kwargs={ - 'item_signature': signing.dumps(item.pk) + 'item_signature': signing_dumps(item.pk) }) return JsonResponse({'result': 'success', 'id': str(item.id), 'payment_url': request.build_absolute_uri(payment_url)}) @@ -456,7 +466,7 @@ def get_payment_status_view(transaction_id=None, next_url=None): url = reverse('payment-status') params = [] if transaction_id: - params.append(('transaction-id', signing.dumps(transaction_id))) + params.append(('transaction-id', signing_dumps(transaction_id))) if next_url: params.append(('next', next_url)) return "%s?%s" % (url, urlencode(params)) @@ -472,7 +482,7 @@ class BasketItemPayView(PayMixin, View): item_signature = kwargs.get('item_signature') try: - item_id = signing.loads(item_signature) + item_id = signing_loads(item_signature) except signing.BadSignature: return HttpResponseForbidden(_('Invalid payment request.')) @@ -646,7 +656,7 @@ class ReturnView(PaymentView): transaction_id = kwargs.get('transaction_signature') if transaction_id: try: - transaction_id = signing.loads(transaction_id) + transaction_id = signing_loads(transaction_id) except signing.BadSignature: pass try: @@ -842,7 +852,7 @@ class PaymentStatusView(View): return publish_page(request, page, template_name=template_name) try: - transaction_id = signing.loads(transaction_id) + transaction_id = signing_loads(transaction_id) except signing.BadSignature: return HttpResponseForbidden(_('Invalid transaction signature.')) @@ -858,7 +868,7 @@ class PaymentStatusView(View): next_url = transaction.items.first().source_url next_url = request.build_absolute_uri(next_url) - extra_context_data['transaction_id'] = signing.dumps(transaction.pk) + extra_context_data['transaction_id'] = signing_dumps(transaction.pk) extra_context_data['next_url'] = next_url request.extra_context_data = extra_context_data return publish_page(request, page, template_name=template_name) @@ -871,7 +881,7 @@ class TransactionStatusApiView(View): def get(self, request, *args, **kwargs): transaction_signature = kwargs.get('transaction_signature') try: - transaction_id = signing.loads(transaction_signature) + transaction_id = signing_loads(transaction_signature) except signing.BadSignature: return HttpResponseBadRequest(_('Invalid transaction.')) diff --git a/tests/test_lingo_payment.py b/tests/test_lingo_payment.py index a1c97914..1e6878ac 100644 --- a/tests/test_lingo_payment.py +++ b/tests/test_lingo_payment.py @@ -9,7 +9,6 @@ import mock from django.apps import apps from django.contrib.auth.models import User -from django.core import signing from django.core.urlresolvers import reverse from django.core.wsgi import get_wsgi_application from django.conf import settings @@ -25,6 +24,7 @@ from combo.apps.lingo.models import ( Regie, BasketItem, Transaction, TransactionOperation, RemoteItem, EXPIRED, LingoBasketCell, PaymentBackend) from combo.utils import aes_hex_decrypt, sign_url +from combo.apps.lingo.views import signing_loads, signing_dumps from .test_manager import login @@ -131,7 +131,7 @@ def assert_payment_status(url, transaction_id=None): url, part = url.split('?') query = urlparse.parse_qs(part) assert 'transaction-id' in query - assert signing.loads(query['transaction-id'][0]) == transaction_id + assert signing_loads(query['transaction-id'][0]) == transaction_id assert url.startswith('/lingo/payment-status') @@ -1042,7 +1042,7 @@ def test_payment_no_basket(app, user, regie, authenticated): assert path.startswith(start) assert path.endswith(end) signature = path.replace(start, '').replace(end, '') - assert signing.loads(signature) == item.id + assert signing_loads(signature) == item.id if authenticated: app = login(app) @@ -1118,7 +1118,7 @@ def test_transaction_status_api(app, regie, user): # invalid transaction signature url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps('xxxx')} + kwargs={'transaction_signature': signing_dumps('xxxx')} ) resp = app.get(url, status=404) @@ -1128,7 +1128,7 @@ def test_transaction_status_api(app, regie, user): transaction_id = 1000 url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction_id)} + kwargs={'transaction_signature': signing_dumps(transaction_id)} ) resp = app.get(url, status=404) assert 'Unknown transaction.' in resp.text @@ -1142,7 +1142,7 @@ def test_transaction_status_api(app, regie, user): transaction = Transaction.objects.create(amount=Decimal('10.0'), regie=regie, status=0) url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction.pk)} + kwargs={'transaction_signature': signing_dumps(transaction.pk)} ) resp = app.get(url) assert resp.json == wait_response @@ -1151,7 +1151,7 @@ def test_transaction_status_api(app, regie, user): transaction = Transaction.objects.create(amount=Decimal('10.0'), regie=regie, status=0) url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction.pk)} + kwargs={'transaction_signature': signing_dumps(transaction.pk)} ) resp = login(app).get(url) assert resp.json == wait_response @@ -1162,7 +1162,7 @@ def test_transaction_status_api(app, regie, user): amount=Decimal('10.0'), regie=regie, status=0, user=user) url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction.pk)} + kwargs={'transaction_signature': signing_dumps(transaction.pk)} ) resp = login(app).get(url) assert resp.json == wait_response @@ -1174,7 +1174,7 @@ def test_transaction_status_api(app, regie, user): amount=Decimal('10.0'), regie=regie, status=0, user=user) url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction.pk)} + kwargs={'transaction_signature': signing_dumps(transaction.pk)} ) resp = app.get(url, status=403) assert error_msg in resp.text @@ -1186,7 +1186,7 @@ def test_transaction_status_api(app, regie, user): transaction = Transaction.objects.create(amount=Decimal('10.0'), regie=regie, status=0, user=user2) url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction.pk)} + kwargs={'transaction_signature': signing_dumps(transaction.pk)} ) resp = login(app).get(url, status=403) assert error_msg in resp.text @@ -1198,7 +1198,7 @@ def test_transaction_status_api(app, regie, user): ) url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction.pk)} + kwargs={'transaction_signature': signing_dumps(transaction.pk)} ) resp = app.get(url) assert resp.json == { @@ -1213,7 +1213,7 @@ def test_transaction_status_api(app, regie, user): ) url = reverse( 'api-transaction-status', - kwargs={'transaction_signature': signing.dumps(transaction.pk)} + kwargs={'transaction_signature': signing_dumps(transaction.pk)} ) resp = app.get(url) assert resp.json == { -- 2.24.0