Finished tightening security for the order success and failed actions.

Jellyfishboy · Oct 21, 2016 · d5af9cb · d5af9cb
1 parent bbffded
commit d5af9cb
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 13 deletions.
diff --git a/app/controllers/concerns/cart_builder.rb b/app/controllers/concerns/cart_builder.rb
@@ -18,5 +18,9 @@ def set_cart_totals
         def set_grouped_countries
             @grouped_countries = [Country.popular.map{ |country| [country.name, country.id] }, Country.all.order('name ASC').map{ |country| [country.name, country.id] }] 
         end
+
+        def set_order_id_session
+            session[:order_id] = @order.id
+        end
     end
 end
diff --git a/app/controllers/orders_controller.rb b/app/controllers/orders_controller.rb
@@ -15,7 +15,7 @@ def complete
     end
 
     def success
-      set_success_order
+      set_session_order
       if @order.latest_transaction.pending? || @order.latest_transaction.completed?
         render theme_presenter.page_template_path('orders/success'), layout: theme_presenter.layout_template_path
       else
@@ -26,7 +26,7 @@ def success
     end
 
     def failed
-      set_failed_order
+      set_session_order
       if @order.latest_transaction.failed?
         render theme_presenter.page_template_path('orders/failed'), layout: theme_presenter.layout_template_path
       else
@@ -53,12 +53,8 @@ def destroy
 
     private
 
-    def set_success_order
-      @order = Order.active.includes(:delivery_address).find(Rails.cache.read("#{Store.settings.name}_success_order_id"))
-    end
-
-    def set_failed_order
-      @order = Order.active.includes(:transactions).find(Rails.cache.read("#{Store.settings.name}_failed_order_id"))
+    def set_session_order
+      @order = Order.active.includes(:delivery_address).find(session[:order_id])
     end
 
     def set_order

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
@@ -1,7 +1,11 @@
 # Be sure to restart your server when you modify this file.
 
 # Trado::Application.config.session_store :cookie_store, key: '_trado_session'
-Trado::Application.config.session_store ActionDispatch::Session::CacheStore
+Trado::Application.config.session_store(
+    ActionDispatch::Session::CacheStore,
+    key: '_trado_session',
+    expire_after: 24.hours
+)
 
 # Use the database for sessions instead of the cookie-based default,
 # which shouldn't be used to store highly confidential information

diff --git a/lib/payatron_4000.rb b/lib/payatron_4000.rb
@@ -48,9 +48,5 @@ def order_pay_provider_valid? order, params
                 Modulatron4000.stripe? && order.stripe_customer_id.present?
             end
         end
-
-        def set_order_id_session order_id, status
-            Rails.cache.write("#{Store.settings.name}_#{status}_order_id", order_id, expires_in: 1.hour)
-        end
     end  
 end