Fix security issue (#387) (#388)

* Fix security issue (#387) * Fix internal error (#387) * Optimize performances (#387)
oystparis · Jun 1, 2018 · e1a80d7 · e1a80d7
1 parent 67a6e29
commit e1a80d7
Show file tree

Hide file tree

Showing 9 changed files with 59 additions and 122 deletions.
diff --git a/app/code/community/Oyst/OneClick/Block/Checkout/Cart/Redirect.php b/app/code/community/Oyst/OneClick/Block/Checkout/Cart/Redirect.php
diff --git a/app/code/community/Oyst/OneClick/Block/Checkout/Redirect.php b/app/code/community/Oyst/OneClick/Block/Checkout/Redirect.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * This file is part of Oyst_OneClick for Magento.
+ *
+ * @license http://www.apache.org/licenses/LICENSE-2.0 Apache License, Version 2.0
+ * @author Oyst <plugin@oyst.com> <@oyst>
+ * @category Oyst
+ * @package Oyst_OneClick
+ * @copyright Copyright (c) 2017 Oyst (http://www.oyst.com)
+ */
+
+/**
+ * Checkout Cart Redirect Block
+ */
+class Oyst_OneClick_Block_Checkout_Redirect extends Mage_Core_Block_Template
+{
+    /**
+     * Get quote url.
+     *
+     * @return string
+     */
+    public function getReturnUrl()
+    {
+        return Mage::getBaseUrl() . Oyst_OneClick_Helper_Data::RETURN_URL;
+    }
+
+    /**
+     * Get loading page message.
+     *
+     * @return string
+     */
+    public function getMessage()
+    {
+        return Mage::getStoreConfig('oyst/oneclick/checkout_cart_cta_loading_message');
+    }
+}
diff --git a/app/code/community/Oyst/OneClick/Helper/Data.php b/app/code/community/Oyst/OneClick/Helper/Data.php
@@ -16,11 +16,9 @@ class Oyst_OneClick_Helper_Data extends Mage_Core_Helper_Abstract
 {
     const MODULE_NAME = 'Oyst_OneClick';
 
-    const LOADING_URL = 'oyst_oneclick/checkout_cart/loading/';
+    const RETURN_URL = 'oyst_oneclick/checkout_cart/return/';
 
-    const ORDER_URL = 'oyst_oneclick/checkout_cart/order';
-
-    const QUOTE_URL = 'oyst_oneclick/checkout_cart/quote/';
+    const REDIRECT_URL = 'oyst_oneclick/checkout_cart/redirect/';
 
     const SUCCESS_URL = 'checkout/onepage/success';
 
@@ -255,9 +253,9 @@ public function generateId($string = null)
      *
      * @return string
      */
-    public function getRedirectUrl($cartId)
+    public function getRedirectUrl()
     {
-        return Mage::getBaseUrl() . self::LOADING_URL . 'cart_id/' . $cartId;
+        return Mage::getBaseUrl() . self::REDIRECT_URL;
     }
 
     /**

diff --git a/app/code/community/Oyst/OneClick/Model/Magento/Quote.php b/app/code/community/Oyst/OneClick/Model/Magento/Quote.php
@@ -351,7 +351,7 @@ private function handleIncreaseStock($productId, $qty)
             'order.v2.new' === $this->apiData['event']) {
             Mage::helper('oyst_oneclick')->log(
                 sprintf(
-                    'Increase stock of product_id %s (%s) with %s',
+                    'Increase stock of product_id %s with %s',
                     $productId,
                     $qty
                 )

diff --git a/app/code/community/Oyst/OneClick/Model/OneClick/ApiWrapper.php b/app/code/community/Oyst/OneClick/Model/OneClick/ApiWrapper.php
@@ -199,7 +199,7 @@ private function getOneClickCustomization($dataFormated)
         if (isset($dataFormated['isCheckoutCart'])) {
             $customization->setCta(
                 Mage::getStoreConfig('oyst/oneclick/checkout_cart_cta_label', Mage::app()->getStore()->getStoreId()),
-                Mage::helper('oyst_oneclick')->getRedirectUrl($this->quote->getId())
+                Mage::helper('oyst_oneclick')->getRedirectUrl()
             );
         }
 

diff --git a/app/code/community/Oyst/OneClick/controllers/Checkout/CartController.php b/app/code/community/Oyst/OneClick/controllers/Checkout/CartController.php
@@ -20,50 +20,20 @@ class Oyst_OneClick_Checkout_CartController extends Mage_Core_Controller_Front_A
     /**
      * Loading page action
      */
-    public function loadingAction()
+    public function redirectAction()
     {
         $this->loadLayout();
         $this->renderLayout();
     }
 
-    /**
-     * Get oyst_order_id from quote
-     */
-    public function quoteAction()
-    {
-        $response = array();
-        $quoteId = $this->getRequest()->getParam('oystParam', null);
-
-        if ($quoteId) {
-            $quote = Mage::getModel('sales/quote')->load($quoteId);
-
-            if ($oystOrderId = $quote->getOystOrderId()) {
-                $response = array(
-                    'oyst_order_id' => $oystOrderId,
-                    'check_order_url' => Mage::getBaseUrl() . Oyst_OneClick_Helper_Data::ORDER_URL,
-                );
-            }
-        }
-
-        $this->getResponse()->setHttpResponseCode(200);
-
-        if ('cgi-fcgi' === php_sapi_name()) {
-            $this->getResponse()->setHeader('Content-type', 'application/json');
-        }
-
-        $this->getResponse()->setBody(Zend_Json::encode($response));
-    }
-
     /**
      * Login customer and redirect to success page
      */
-    public function orderAction()
+    public function returnAction()
     {
-        $oystOrderId = $this->getRequest()->getParam('oystParam', null);
-
-        if ($oystOrderId) {
-            $order = Mage::getModel('sales/order')->load($oystOrderId, 'oyst_order_id');
+        $order = Mage::getModel('sales/order')->load(Mage::getSingleton('checkout/session')->getOystRelatedQuoteId(), 'quote_id');
 
+        if($order->getId()) {
             $websiteId = Mage::app()->getWebsite()->getId();
             $customer = Mage::getModel('customer/customer')->setWebsiteId($websiteId)
                 ->loadByEmail($order->getCustomerEmail());
@@ -114,6 +84,7 @@ public function initOystCheckoutAction()
         try {
             $oystCart = Mage::getModel('oyst_oneclick/cart');
             $this->data = $oystCart->initOystCheckout($params);
+            Mage::getSingleton('checkout/session')->setOystRelatedQuoteId($params['quoteId']);
         } catch (Exception $e) {
             Mage::helper('oyst_oneclick')->log($e->__toString());
             $this->data = array('has_error' => 1, 'message' => $e->getMessage());

diff --git a/app/design/frontend/base/default/layout/oyst_oneclick.xml b/app/design/frontend/base/default/layout/oyst_oneclick.xml
@@ -60,7 +60,7 @@
         </reference>
     </oneclick_checkout_cart_bottom>
 
-    <oyst_oneclick_checkout_cart_loading>
+    <oyst_oneclick_checkout_cart_redirect>
         <reference name="head">
             <action method="addCss"><stylesheet>css/oyst/cart-redirect.css</stylesheet></action>
             <action method="addItem"><type>skin_js</type><name>js/oyst/redirect.js</name></action>
@@ -69,8 +69,8 @@
             <action method="setTemplate"><template>page/1column.phtml</template></action>
         </reference>
         <reference name="content">
-            <block type="oyst_oneclick/checkout_cart_redirect" name="cart_return_message" template="oyst/oneclick/checkout/redirect.phtml" />
+            <block type="oyst_oneclick/checkout_redirect" name="redirect_from_oyst" template="oyst/oneclick/checkout/redirect.phtml" />
         </reference>
-    </oyst_oneclick_checkout_cart_loading>
+    </oyst_oneclick_checkout_cart_redirect>
 
 </layout>
diff --git a/app/design/frontend/base/default/template/oyst/oneclick/checkout/redirect.phtml b/app/design/frontend/base/default/template/oyst/oneclick/checkout/redirect.phtml
@@ -10,12 +10,11 @@
  */
 
 /**
- * @var Oyst_OneClick_Block_Checkout_Cart_Redirect $this
+ * @var Oyst_OneClick_Block_Checkout_Redirect $this
  */
 ?>
 <?php
-$quoteUrl = $this->escapeUrl($this->getQuoteUrl());
-$quoteId = $this->getQuoteId();
+$returnUrl = $this->escapeUrl($this->getReturnUrl());
 ?>
 
 <div class="sk-fading-circle">
@@ -38,6 +37,6 @@ $quoteId = $this->getQuoteId();
 </div>
 
 <script>
-    var redirectCart = new RedirectCart("<?php echo $quoteUrl ?>", <?php echo $quoteId; ?>);
-    redirectCart.send();
+    var redirectFromOyst = new RedirectFromOyst("<?php echo $returnUrl ?>");
+    redirectFromOyst.send();
 </script>
diff --git a/skin/frontend/base/default/js/oyst/redirect.js b/skin/frontend/base/default/js/oyst/redirect.js
@@ -9,29 +9,24 @@
  */
 
 /**
- * OneClick RedirectCart JS
+ * OneClick RedirectFromOyst JS
  */
 "use strict";
 
 /**
- * Redirect from cart
+ * Redirect from Oyst
  *
  * @param {String} url Loading page url
- * @param {int} oystParam cart id
  */
-function RedirectCart(url, oystParam) {
+function RedirectFromOyst(url) {
     var self = this;
 
     this.url = url;
-    this.oystParam = oystParam;
-    this.form = new FormData();
     this.xhr = new XMLHttpRequest();
     this.data = null;
 
     this.prepare = function () {
-        self.form.append("oystParam", self.oystParam);
-
-        self.xhr.open("POST", self.url, true);
+        self.xhr.open("GET", self.url, true);
         self.xhr.setRequestHeader("cache-control", "no-cache");
     };
 
@@ -54,13 +49,11 @@ function RedirectCart(url, oystParam) {
             if (null === self.data) {
                 self.xhr.onload = self.nullResponse;
             } else {
-                self.url = self.data.check_order_url;
-                self.oystParam = self.data.oyst_order_id;
                 self.xhr.onload = self.redirectSuccess;
             }
 
             self.prepare();
-            self.xhr.send(self.form);
+            self.xhr.send();
         }, 5000);
     };
 }