Permalink
Browse files

Don't show authorize.net login info at config page due to security pr…

…ecautions; Backported from MOODLE_17_STABLE.
  • Loading branch information...
1 parent f9fbfb4 commit 231836a59624e521ce2300b472fce27c40b1603b ethem committed Dec 6, 2006
View
9 enrol/authorize/authorizenetlib.php
@@ -95,23 +95,24 @@ function authorize_action(&$order, &$message, &$extra, $action=AN_ACTION_NONE, $
$test = !empty($CFG->an_test);
if (!isset($conststring)) {
+ $mconfig = get_config('enrol/authorize');
$constdata = array(
'x_version' => '3.1',
'x_delim_data' => 'True',
'x_delim_char' => AN_DELIM,
'x_encap_char' => AN_ENCAP,
'x_relay_response' => 'FALSE',
'x_method' => 'CC',
- 'x_login' => $CFG->an_login,
+ 'x_login' => rc4decrypt($mconfig->an_login),
'x_test_request' => $test ? 'TRUE' : 'FALSE'
);
$str = '';
foreach($constdata as $ky => $vl) {
$str .= $ky . '=' . urlencode($vl) . '&';
}
- $str .= (!empty($CFG->an_tran_key)) ?
- 'x_tran_key=' . urlencode($CFG->an_tran_key):
- 'x_password=' . urlencode($CFG->an_password);
+ $str .= (!empty($mconfig->an_tran_key)) ?
+ 'x_tran_key=' . urlencode(rc4decrypt($mconfig->an_tran_key)):
+ 'x_password=' . urlencode(rc4decrypt($mconfig->an_password));
$conststring = $str;
}
View
27 enrol/authorize/config.html
@@ -79,38 +79,35 @@
<tr valign="top"><td colspan="3"><h4><?php print_string("adminauthorizesettings", "enrol_authorize") ?></h4></td></tr>
<tr valign="top">
- <td align="right">an_login:</td>
- <td><input type="text" name="an_login" value="<?php p($frm->an_login) ?>" /></td>
- <td><?php print_string("anlogin", "enrol_authorize") ?></td>
+ <td align="right">&nbsp;&nbsp;</td>
+ <td><?php print_string("logininfo", "enrol_authorize") ?></td>
</tr>
<tr valign="top">
- <td align="right">#&nbsp;#&nbsp;</td>
- <td colspan="2"><?php print_string("chooseone", "enrol_authorize") ?></td>
+ <td align="right">an_login:<br /><?php echo (isset($mconfig->an_login)) ? '<font color=green>'.get_string('ok').'</font>' : ''; ?></td>
+ <td><?php print_string("anlogin", "enrol_authorize") ?><br /><input type="text" name="an_login" size="26" value="" /><sup>*</sup></td>
</tr>
<tr valign="top">
- <td align="right">an_tran_key:</td>
- <td><input type="text" name="an_tran_key" value="<?php p($frm->an_tran_key) ?>" /><sup>#1</sup></td>
- <td><?php print_string("antrankey", "enrol_authorize") ?></td>
+ <td align="right">an_tran_key:<br /><?php echo (isset($mconfig->an_tran_key)) ? '<font color=green>'.get_string('ok').'</font>' : ''; ?></td>
+ <td><?php print_string("antrankey", "enrol_authorize") ?><br /><input type="text" name="an_tran_key" size="26" value="" /><sup>#1</sup></td>
</tr>
<tr valign="top">
- <td align="right">an_password:</td>
- <td><input type="text" name="an_password" value="" /><sup>#2</sup></td>
- <td><?php print_string("anpassword", "enrol_authorize") ?><br />(<?php print_string("leavetokeep") ?>)</td>
+ <td align="right">an_password:<br /><?php echo (isset($mconfig->an_password)) ? '<font color=green>'.get_string('ok').'</font>' : ''; ?></td>
+ <td><?php print_string("anpassword", "enrol_authorize") ?><br /><input type="text" name="an_password" size="26" value="" /><sup>#2</sup></td>
</tr>
<tr valign="top">
<td align="right">delete_current:</td>
- <td><?php print_checkbox('delete_current', '1', !empty($frm->delete_current)) ?></td>
- <td><?php print_string("deletecheck", "moodle", get_string('oldpassword')) ?><br /><br /></td>
+ <td><?php print_checkbox('delete_current', '1', !empty($frm->delete_current)) ?> <br />
+ <?php print_string("deletecheck", "moodle", get_string('oldpassword')) ?><br /><hr size="1" width="100%" noshade /></td>
</tr>
<tr valign="top">
<td align="right">an_referer:</td>
- <td><input type="text" name="an_referer" value="<?php p($frm->an_referer) ?>" /></td>
- <td><?php print_string("anreferer", "enrol_authorize") ?></td>
+ <td><input type="text" name="an_referer" size="35" value="<?php p($frm->an_referer) ?>" /><br />
+ <?php print_string("anreferer", "enrol_authorize") ?></td>
</tr>
<tr valign="top">
View
21 enrol/authorize/db/mysql.php
@@ -108,6 +108,27 @@ function enrol_authorize_upgrade($oldversion=0) {
delete_records('config_plugins', 'name', 'an_nextmail');
}
+ if ($oldversion < 2006021531) { // Don't show authorize.net login info at config page
+ if (isset($CFG->an_login)) {
+ if (!empty($CFG->an_login)) {
+ set_config('an_login', rc4encrypt($CFG->an_login), 'enrol/authorize');
+ }
+ delete_records('config', 'name', 'an_login');
+ }
+ if (isset($CFG->an_tran_key)) {
+ if (!empty($CFG->an_tran_key)) {
+ set_config('an_tran_key', rc4encrypt($CFG->an_tran_key), 'enrol/authorize');
+ }
+ delete_records('config', 'name', 'an_tran_key');
+ }
+ if (isset($CFG->an_password)) {
+ if (!empty($CFG->an_password)) {
+ set_config('an_password', rc4encrypt($CFG->an_password), 'enrol/authorize');
+ }
+ delete_records('config', 'name', 'an_password');
+ }
+ }
+
return $result;
}
View
21 enrol/authorize/db/postgres7.php
@@ -119,6 +119,27 @@ function enrol_authorize_upgrade($oldversion=0) {
delete_records('config_plugins', 'name', 'an_nextmail');
}
+ if ($oldversion < 2006021531) { // Don't show authorize.net login info at config page
+ if (isset($CFG->an_login)) {
+ if (!empty($CFG->an_login)) {
+ set_config('an_login', rc4encrypt($CFG->an_login), 'enrol/authorize');
+ }
+ delete_records('config', 'name', 'an_login');
+ }
+ if (isset($CFG->an_tran_key)) {
+ if (!empty($CFG->an_tran_key)) {
+ set_config('an_tran_key', rc4encrypt($CFG->an_tran_key), 'enrol/authorize');
+ }
+ delete_records('config', 'name', 'an_tran_key');
+ }
+ if (isset($CFG->an_password)) {
+ if (!empty($CFG->an_password)) {
+ set_config('an_password', rc4encrypt($CFG->an_password), 'enrol/authorize');
+ }
+ delete_records('config', 'name', 'an_password');
+ }
+ }
+
return $result;
}
View
50 enrol/authorize/enrol.php
@@ -414,6 +414,7 @@ function get_access_icons($course) {
function config_form($frm)
{
global $CFG;
+ $mconfig = get_config('enrol/authorize');
if (! enrolment_plugin_authorize::check_openssl_loaded()) {
notify('PHP must be compiled with SSL support (--with-openssl)');
@@ -436,7 +437,6 @@ function config_form($frm)
$captureday = intval($frm->an_capture_day);
$emailexpired = intval($frm->an_emailexpired);
if ($captureday > 0 || $emailexpired > 0) {
- $mconfig = get_config('enrol/authorize');
if ((time() - intval($mconfig->an_lastcron) > 3600 * 24)) {
notify(get_string('admincronsetup', 'enrol_authorize'));
}
@@ -451,10 +451,10 @@ function config_form($frm)
}
if (data_submitted()) {
- if (empty($frm->an_login)) {
+ if (empty($mconfig->an_login)) {
notify("an_login required");
}
- if (empty($frm->an_tran_key) && empty($frm->an_password)) {
+ if (empty($mconfig->an_tran_key) && empty($mconfig->an_password)) {
notify("an_tran_key or an_password required");
}
}
@@ -473,6 +473,7 @@ function config_form($frm)
function process_config($config)
{
global $CFG;
+ $mconfig = get_config('enrol/authorize');
// site settings
if (($cost = optional_param('enrol_cost', 5, PARAM_INT)) > 0) {
@@ -507,12 +508,11 @@ function process_config($config)
$captureday = ($captureday > 29) ? 29 : (($captureday < 0) ? 0 : $captureday);
$emailexpired = ($emailexpired > 5) ? 5 : (($emailexpired < 0) ? 0 : $emailexpired);
- $mconfig = get_config('enrol/authorize');
- if ((!empty($reviewval)) &&
- ($captureday > 0 || $emailexpired > 0) &&
- (time() - intval($mconfig->an_lastcron) > 3600 * 24)) {
- return false;
+ if (!empty($reviewval) && ($captureday > 0 || $emailexpired > 0)) {
+ if (time() - intval($mconfig->an_lastcron) > 3600 * 24) {
+ return false;
+ }
}
set_config('an_review', $reviewval);
@@ -527,30 +527,35 @@ function process_config($config)
return false;
}
- // required fields
+ // REQUIRED fields;
+ // an_login
$loginval = optional_param('an_login', '');
- if (empty($loginval)) {
- return false;
+ if (empty($loginval) && empty($mconfig->an_login)) {
+ return false;
}
- set_config('an_login', $loginval);
+ $loginval = !empty($loginval) ? rc4encrypt($loginval) : strval($mconfig->an_login);
+ set_config('an_login', $loginval, 'enrol/authorize');
+ // an_tran_key, an_password
$tranval = optional_param('an_tran_key', '');
+ $tranval = !empty($tranval) ? rc4encrypt($tranval) : (isset($mconfig->an_tran_key)?$mconfig->an_tran_key:'');
$passwordval = optional_param('an_password', '');
- $deletecurrent = optional_param('delete_current', '');
-
- if (!empty($passwordval)) { // password is changing
- set_config('an_password', $passwordval);
+ $passwordval = !empty($passwordval) ? rc4encrypt($passwordval) :(isset($mconfig->an_password)?$mconfig->an_password:'');
+ $deletecurrent = optional_param('delete_current', '0', PARAM_BOOL);
+ if (!empty($deletecurrent) and !empty($tranval)) {
+ delete_records('config_plugins', 'name', 'an_password', 'plugin', 'enrol/authorize');
+ $passwordval = '';
}
- elseif (!empty($deletecurrent) and !empty($tranval)) {
- set_config('an_password', '');
- $CFG->an_password = '';
+ elseif (!empty($passwordval)) {
+ set_config('an_password', $passwordval, 'enrol/authorize');
}
-
- if (empty($tranval) and empty($CFG->an_password)) {
+ if (empty($tranval) and empty($passwordval)) {
return false;
}
+ if (!empty($tranval)) {
+ set_config('an_tran_key', $tranval, 'enrol/authorize');
+ }
- set_config('an_tran_key', $tranval);
return true;
}
@@ -814,7 +819,6 @@ function cron()
ORDER BY e.userid";
$emailinfo = get_records_sql($select);
- $emailcount = count($emailinfo);
$ei = reset($emailinfo);
while ($ei !== false) {
$usercourses = array();
View
2 enrol/authorize/version.php
@@ -1,6 +1,6 @@
<?PHP // $Id$
-$plugin->version = 2006021501;
+$plugin->version = 2006021531;
$plugin->requires = 2005072200;
?>
View
1 lang/en_utf8/enrol_authorize.php
@@ -87,6 +87,7 @@
$string['howmuch'] = 'How much?';
$string['httpsrequired'] = 'We are sorry to inform you that your request cannot be processed now. This site\'s configuration couldn\'t be set up correctly.<br /><br />Please don\'t enter your credit card number unless you see a yellow lock at the bottom of the browser. If the symbol appears, it means the page encrypts all data sent between client and server. So the information during the transaction between the two computers is protected, hence your credit card number cannot be captured over the internet.';
$string['logindesc'] = 'This option must be ON. <br /><br />Please ensure that you have turned <a href=\"$a->url\">loginhttps ON</a> in Admin >> Variables >> Security.<br /><br />Turning this on will make Moodle use a secure https connection just for the login and payment pages.';
+$string['logininfo'] = 'Login name, password and transaction key are not shown due to security precautions. There is no need to enter again if you have configured these fields before. You see a green text left of the box if some fields were already configured. If you enter these fields for the first time, the login name (*) is required and you must enter <strong>either</strong> the transaction key (#1) <strong>or</strong> the password (#2) in the appropriate box. We recommend you enter the transaction key due to security precautions. If you want to delete the current password, tick the checkbox.';
$string['missingaddress'] = 'Missing address';
$string['missingcc'] = 'Missing card number';
$string['missingccexpire'] = 'Missing expiration date';

0 comments on commit 231836a

Please sign in to comment.