Permalink
Browse files

Improvements to subscribe.pl to get it closer to where it's supposed …

…to be.
  • Loading branch information...
1 parent 68d4dc2 commit 657b33fd424dd1ac6431b773211b286a4c7dd6c0 @jamiemccarthy jamiemccarthy committed Dec 21, 2001
View
@@ -0,0 +1,38 @@
+A note about the subscribe.pl "secret word":
+
+The secret word is so you can set up purchasing sponsorships however
+you prefer to do it, without having to worry about firewalls or writing
+complex code. It's not especially secure so if you're concerned about
+users illicitly sponsoring pages on your website, please consider the
+security issues carefully. An overview of those issues is below.
+
+To use the secret word, simply set the var "subscribe_secretword" in
+your site's database to something secret. Don't reuse a password, just
+make something up; as long as you have admin access to your own site,
+you can check it or change it anytime you like through the admin.pl
+"vars" menu.
+
+However you've set up subscription purchasing, activating a subscription
+will be simple. When the user with uid 123 purchases 456 pages, and if
+your secret word is "foo", you just access this URL from anywhere:
+
+ http://yoursite.com/subscribe.pl?uid=123&buymore=456&secretword=foo
+
+If you have a fancy credit-card processing server somewhere, set it
+up to hit that URL. If you take checks yourself, just type it into
+your browser. Doesn't matter as long as the URL gets hit.
+
+Security: as mentioned above, don't reuse a password. If you have a
+server which processes purchases and then contacts your webserver, try
+to put it on the same LAN on a switched hub so the secret word can't
+be sniffed. But then, if someone is sniffing your webservers' traffic
+you probably have bigger problems (your admins probably hit /admin.pl
+over non-secure HTTP, which means their cookies' username/password can
+be sniffed too...)
+
+Also, as usual, anyone that has read access to your DBIx/Password.pm
+can read this, but again, if an unauthorized party has such access,
+you have bigger problems.
+
+- Jamie
+
@@ -3,11 +3,13 @@ default
__description__
Edit subscription information
-* user = passed in by default. Fields used are buypage_*
+* user = The user doing the editing, which may or may not be the
+ user being edited (if not, it's an admin).
+* user_edit = The user being edited. Fields used are buypage_*
and hits_{paidfor,bought}.
-* user_update = also passed in; supercedes user where its
+* user_newvalues = Also passed in; supercedes user_edit where its
fields are present.
-* pages = arrayref of hashrefs, each hashref having fields:
+* pages = Arrayref of hashrefs, each hashref having fields:
pagename = name of the page type to append to "buypage_"
descr = description to print for page name
@@ -20,8 +22,16 @@ en_US
__name__
edit
__template__
+[% IF user.seclev < 100; user_edit = user; END %]
+
<FORM ACTION="[% env.script_name %]">
+[% IF user.uid != user_edit.uid %]
+<INPUT TYPE="hidden" NAME="uid" VALUE="[% user_edit.uid %]">
+[% END %]
+
+[% anything_to_edit = 0 %]
+
[%
pages = [
{ pagename => "index",
@@ -34,36 +44,41 @@ __template__
%]
[%
- hits_paidfor = user_update.hits_paidfor || user.hits_paidfor || 0;
- hits_bought = user_update.hits_bought || user.hits_bought || 0;
+ hits_paidfor = user_newvalues.hits_paidfor || user_edit.hits_paidfor || 0;
+ hits_bought = user_newvalues.hits_bought || user_edit.hits_bought || 0;
FOREACH page = pages;
thispagename = "buypage_${page.pagename}";
- IF user_update.$thispagename.defined;
- page.isbought = user_update.$thispagename;
+ IF user_newvalues.$thispagename.defined;
+ page.isbought = user_newvalues.$thispagename;
ELSE;
- page.isbought = user.$thispagename;
+ page.isbought = user_edit.$thispagename;
END;
END;
%]
-<P>You have paid for a total of [% hits_paidfor %] pages
-and have so far used up [% hits_bought %] of them.
-[% IF hits_paidfor %] Thanks, we appreciate your support! [% END %]
+<P>[% IF user.uid == user_edit.uid %]You have[% ELSE %]User "[% user_edit.nickname %]" has[% END %]
+paid for a total of [% hits_paidfor %] pages
+and so far [% hits_bought %] have been used up.
+[% IF hits_paidfor && user.uid == user_edit.uid && user.seclev < 100 %]
+ Thanks, we appreciate your support!
+[% END %]
-<P>Want to buy more?
[% IF user.seclev >= 100 %]
- You're an admin, so buy as many as you want:
+ <P>Want to buy
+ [% IF user.uid != user_edit.uid %]"[% user_edit.nickname %]"[% END %]
+ some pages? You're an admin, so take as many as you want:
<INPUT TYPE="TEXT" NAME="buymore" VALUE="0" SIZE="6">
+ [% anything_to_edit = 1 %]
[% ELSE %]
- You're not an admin, so you can't buy pages at the moment.
+ <P>You're not an admin, so you can't buy pages at the moment.
Sorry.
[% END %]
[% IF user.seclev >= 100
- || (hits_paidfor && ( hits_paidfor > hits_bought ) ) %]
+ || hits_paidfor && ( hits_paidfor > hits_bought ) %]
<P>We give you some control over deciding which pages
- you want your money to sponsor. By default, you sponsor
+ you want your money to sponsor. By default, you sponsor
everything but comments pages.
<P><TABLE BORDER=0 CELLSPACING=1 WIDTH="100%">
@@ -80,14 +95,18 @@ and have so far used up [% hits_bought %] of them.
VALUE="1" [% IF page.isbought; " CHECKED"; END %]></TD>
<TD VALIGN="top" ALIGN="left">&nbsp;[% page.descr %]</TD>
</TR>
+ [% anything_to_edit = 1 %]
[% END %]
</TABLE>
[% END %]
+[% IF anything_to_edit %]
<INPUT TYPE="SUBMIT" NAME="op" VALUE="save">
+[% END %]
+
</FORM>
__seclev__
@@ -1,3 +1,5 @@
INSERT INTO vars (name, value, description) VALUES ('subscribe', 1, 'Subscriptions enabled?');
INSERT INTO vars (name, value, description) VALUES ('subscribe_debug', 0, 'Debug plugins/Subscribe?');
+INSERT INTO vars (name, value, description) VALUES ('subscribe_defpages', 'index article', 'Space-separated list of default pages (script names)');
+INSERT INTO vars (name, value, description) VALUES ('subscribe_secretword', 'changemenow', 'Secret word to buy pages with');
INSERT INTO vars (name, value, description) VALUES ('subscribe_hits_only', 1, '0=All users get users_hits updated, 1=Only subscribed users');
@@ -37,9 +37,7 @@ sub main {
redirect("$rootdir/users.pl");
return;
}
- unless ($ops->{$op}) {
- $op = 'default';
- }
+ $op = 'default' unless $ops->{$op};
header("subscribe");
@@ -53,29 +51,87 @@ sub main {
# Edit options
sub edit {
my($form, $slashdb, $user, $constants) = @_;
+ my $user_edit;
+ if ($form->{uid}
+ && $user->{seclev} >= 100
+ && $form->{uid} =~ /^\d+$/
+ && !isAnon($form->{uid})) {
+ $user_edit = $slashdb->getUser($form->{uid});
+ }
+ $user_edit ||= $user;
+
+ my $user_newvalues = { };
+ my $bought_nothing_yet = ($user_edit->{hits_paidfor} ? 0 : 1);
+ if ($bought_nothing_yet) {
+ if ($constants->{subscribe_defpages}) {
+ my @defpages = split / /, $constants->{subscribe_defpages};
+ for my $page (@defpages) {
+ $user_newvalues->{"buypage_$page"} = 1;
+ }
+ }
+ }
+
titlebar("95%", "Editing Subscription...");
- slashDisplay("edit");
+ slashDisplay("edit", {
+ user_edit => $user_edit,
+ user_newvalues => $user_newvalues,
+ });
1;
}
##################################################################
# Edit options
sub save {
my($form, $slashdb, $user, $constants) = @_;
+ my $user_edit;
+ if ($form->{uid}
+ && $user->{seclev} >= 100
+ && $form->{uid} =~ /^\d+$/
+ && !isAnon($form->{uid})) {
+ $user_edit = $slashdb->getUser($form->{uid});
+ }
+ $user_edit ||= $user;
+
+ my $has_buying_permission = 0;
+ $has_buying_permission = 1
+ if $form->{secretword} eq $constants->{subscribe_secretword}
+ or $user->{seclev} >= 100;
+
my $user_update = { };
- if ($user->{seclev} >= 100) {
+ my $user_newvalues = { };
+ my $bought_nothing_yet = ($user_edit->{hits_paidfor} ? 0 : 1);
+ if ($has_buying_permission) {
my($buymore) = $form->{buymore} =~ /(\d+)/;
- $user_update->{hits_paidfor} = $user->{hits_paidfor} || 0;
- $user_update->{hits_paidfor} += $buymore;
+ if ($buymore) {
+ $user_update->{"-hits_paidfor"} =
+ "hits_paidfor + $buymore";
+ $user_newvalues->{hits_paidfor} =
+ $user_edit->{hits_paidfor} + $buymore;
+ }
}
for my $key (grep /^buypage_\w+$/, keys %$form) {
# Empty string means delete the row from users_param.
- $user_update->{$key} = $form->{$key} ? 1 : "";
+ $user_newvalues->{$key} =
+ $user_update->{$key} = $form->{$key} ? 1 : "";
}
- $slashdb->setUser($user->{uid}, $user_update);
- print "<p>Subscription options saved.\n";
+ if ($bought_nothing_yet) {
+ my @buypage_updates = grep /^buypage_/, keys %$user_update;
+ if (!@buypage_updates && $constants->{subscribe_defpages}) {
+ my @defpages = split / /, $constants->{subscribe_defpages};
+ for my $page (@defpages) {
+ $user_newvalues->{"buypage_$page"} =
+ $user_update->{"buypage_$page"} = 1 if $page;
+ }
+ }
+ }
+ $slashdb->setUser($user_edit->{uid}, $user_update);
+
+ print "<p>Subscription options saved.\n<p>";
titlebar("95%", "Editing Subscription...");
- slashDisplay("edit", { user_update => $user_update });
+ slashDisplay("edit", {
+ user_edit => $user_edit,
+ user_newvalues => $user_newvalues,
+ });
1;
}
@@ -31,6 +31,18 @@
subscribers: %8d
EOT
+ if ($constants->{subscribe_secretword} eq 'changemenow') {
+ $email .= <<EOT;
+
+*** You have not yet changed your subscribe secret word! ***
+*** Change it now or sneaky users will be able to buy pages ***
+*** without actually buying them! It's the var named: ***
+*** subscribe_secretword ***
+*** (See plugins/Subscribe/README for details on using it.) ***
+
+EOT
+ }
+
$email .= "\n-----------------------\n";
# Send a message to the site admin.

0 comments on commit 657b33f

Please sign in to comment.