order: Look up prices on the server, not in the POST request. #2750
Closed
rekado
wants to merge 2 commits from
rekado/fsfe-website:catalogue
into master
pull from: rekado/fsfe-website:catalogue
merge into: FSFE:master
FSFE:master
FSFE:test
FSFE:ADD-event-20250212-02-01-5bcb98d3d84af2cd
FSFE:ilovefs-add-new-events-IT
FSFE:20250206_BTW25correction
FSFE:news-20250206-GermanElections
FSFE:ADD-event-20250215-02-01-047f208ab66061e1
FSFE:ilovefs-add-new-events
FSFE:ADD-event-20250407-01-01-4f369248b3494421
FSFE:ilovefs-ffm-event
FSFE:ADD-event-20250210-01-01-be6eec133b27c8f9
FSFE:update_mailinglist_status
FSFE:ADD-event-20250211-01-01-5972c6a4572e0feb
FSFE:ADD-event-20250213-06-01-25724de47d41372a
FSFE:add-documentation-to-floatable-sidebar
FSFE:ADD-event-20250202-04-01-d9e3beefc6bc0c45
FSFE:YH4F-webpage-update-1
FSFE:ADD-event-20250202-04-01-ba916b74ab7ac36f
FSFE:20250121-Adamovie
FSFE:ADD-event-20251002-01-01-8f5c3dc5f44e196a
FSFE:ADD-event-20250202-01-01-3f23819e4cb57787
FSFE:ADD-event-20250202-01-01-e342445cac228d41
FSFE:ADD-event-20250202-01-01-d62159c5412a699b
FSFE:ADD-event-20250201-02-01-11188d923e49afc9
FSFE:ilovefs-shortlink-nuernberg-registration
FSFE:news-20250108-tags
FSFE:delete-old-new-20250103
FSFE:ADD-event-20260121-01-01-4c0609985dcbfbdd
FSFE:ADD-event-20241214-01-01-c3b63098931aa4f7
FSFE:ADD-event-20241214-01-01-5b604711c3d00c71
FSFE:ADD-event-20241227-01-01-ae6b3f2589884c18
FSFE:news-20241125-yh4f
FSFE:20241122-banner
FSFE:ADD-event-20250123-01-01-327fc15e4e0a920f
FSFE:ADD-event-20250123-01-01-9f683753335404e9
FSFE:ADD-event-20250123-01-01-71f2d2b04a9566b7
FSFE:20241115-event
FSFE:ADD-event-20241116-01-01-76520e0c3eb53736
FSFE:ilovefs-add-sharepic-25
FSFE:ADD-event-20241214-01-01-4e6b0de6ec6769b9
FSFE:ADD-event-20241214-01-01-6faf333779c63c9a
FSFE:ADD-event-20241214-01-01-b28016d5d37bcb1d
FSFE:ADD-event-20241214-01-01-cfd07879ebd40cc0
FSFE:ADD-event-20241214-01-01-a6198dcb1e85c939
FSFE:ADD-event-20241214-01-01-77e285dc27cb7c71
FSFE:ADD-event-20241214-01-01-0e9a153a423c7709
FSFE:ADD-event-20241214-01-01-a0990cbdebfe5e64
FSFE:ADD-event-20241214-01-01-4393373d9bb1a24e
FSFE:ADD-event-20241214-01-01-7a0e8b06698ebb62
FSFE:ADD-event-20241214-01-01-064c258df88a63b2
FSFE:YH4F-redirect-feedback
FSFE:ADD-event-20241123-01-01-384b7d33dda1fc54
FSFE:ADD-event-20241123-01-01-b15d879bd9272915
FSFE:ADD-event-20241123-01-01-e8b31a550bc212f6
FSFE:ADD-event-20241123-01-01-8429a03d21c80ae1
FSFE:ADD-event-20241123-01-01-05508c204c08b0b7
FSFE:ADD-event-20241123-01-01-4c832e7a0a84c4a2
FSFE:ADD-event-20241123-01-01-9f8653652bff4df3
FSFE:ADD-event-20241123-01-01-60356954426adffc
FSFE:ADD-event-20241123-01-01-4ce9219adcda70bf
FSFE:ADD-event-20241108-09-01-955184905d2fa7d5
FSFE:ADD-event-20241108-09-01-b280188b23e56995
FSFE:ADD-event-20241108-09-01-48afd3272d58222f
FSFE:ADD-event-20241029-01-01-14c6b9f34f60e9cd
FSFE:ADD-event-20241123-01-01-a2a47df97909f496
FSFE:ADD-event-20241123-01-01-73d1c1db19cc618e
FSFE:ADD-event-20241123-01-01-bc9126aa3e0374f7
FSFE:ADD-event-20241123-01-01-b93648d44b18be46
FSFE:ADD-event-20241123-01-01-44acbc3f972d66ca
FSFE:ADD-event-20241108-02-01-907c441ceea25d9e
FSFE:ADD-event-20241108-02-01-4943d5db2b3b5dd8
FSFE:ADD-event-20241108-02-01-d8a92aef4cfb6b82
FSFE:ADD-event-20241108-02-01-09cce142e5a4ae5b
FSFE:ADD-event-20241108-02-01-8d47b1f5ee32eca3
FSFE:ADD-event-20241108-02-01-1d8690247e544459
FSFE:ADD-event-20241109-04-01-12baab869e9475f4
FSFE:ADD-event-20240811-01-01-51aeaa81e341feea
FSFE:ADD-event-20240811-01-01-8fbf446e1343a477
FSFE:ADD-event-20240811-01-01-a55fc7e264c27300
FSFE:ADD-event-20250117-01-01-09ae509e82d8eb9b
FSFE:ADD-event-20240811-01-01-187e472a4f0dc3cb
FSFE:ADD-event-20240811-01-01-eb255a21f86e09d0
FSFE:YH4F-registration-update-date
FSFE:linuxdaytypo
FSFE:ADD-event-20241010-01-01-8bd4e759869302e3
FSFE:YH4F-typo-activity
FSFE:ADD-event-20241008-01-01-a161723e0d346df1
FSFE:ADD-event-20241010-01-01-08b62bee7fcc13f5
FSFE:news-20240923-yearly
FSFE:news-20240923-yearreport
FSFE:ADD-event-20240912-01-01-cdbb291be118f46c
FSFE:newsletter-20240909
FSFE:html-timeline
FSFE:nix-develop
FSFE:news.20240828-ngi
FSFE:20240816_froscon_event_update
FSFE:20240813-yh4f
FSFE:news-update-on-programming-period-and-new-sponsor
FSFE:news-20240809-apple
FSFE:pdfreaders-deprecate
FSFE:events-20240530
FSFE:anaghz-patch-3
FSFE:anaghz-patch-4
FSFE:SFP024-ilovefs-episode
FSFE:ilovefs_typo
FSFE:ilovefs24-events-patch-1
FSFE:compare-xml-structure
FSFE:followup-default-mail
FSFE:feature/peertube-for-upcycle-android
No reviewers
Labels
Clear labels
Requires careful coordination and documentation changes
bug
build
cgi Scripting
design
disruptive
Requires careful coordination and documentation changes
documentation
duplicate
easy
feature-request
help wanted
javascript
priority/low
question
system-hackers
tagging
text
translations
wait/bugfix
wait/inprogress
wait/misc
wait/proofread
wontfix
xsl
No Label
bug
build
cgi Scripting
design
disruptive
documentation
duplicate
easy
feature-request
help wanted
javascript
priority/low
question
system-hackers
tagging
text
translations
wait/bugfix
wait/inprogress
wait/misc
wait/proofread
wontfix
xsl
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.
No due date set.
Dependencies
No dependencies set.
Reference: FSFE/fsfe-website#2750
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
No description provided.
Delete Branch "rekado/fsfe-website:catalogue"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The web shop form currently submits not only the amount of selected items to
cgi-bin/weborder.pl
in a POST request, but also submits the price.weborder.pl
trusts these prices and uses them to compute the total.These two commits change this by generating a catalogue.xml containing the prices of all items. weborder.pl then looks up prices in that server-side file instead of accepting arbitrary prices in the user-supplied POST request, thereby guaranteeing that the prices have not been tampered with.
One more thing of note: catalogue.xml does not require any translations as it is not intended for presentation on the website. It could just as well be replaced with a database, but I wanted to keep the number of changes to a minimum.
The change looks good to me.
We could consider merging all the item.en.xml into a single file (the contents are not translated so we don't gain anything from having separate files per year), which AFAIU save us the additional step of creating the
catalogue.xml
file and make things much more straightforward and understandable.I'm glad you suggest merging all the item files! I was taken aback by the complexity of processing the items when I considered implementing changes to the order form.
Having all items in the same XML file would simplify processing and unlock further improvements.
While we're at it, could we also merge all the
info.*.xml
files (one per language)? Or is there a reason why the year must be encoded in the directory name instead of, say, an XML attribute?The
info.*.xml
files are a different topic, since they are translated: ideally there we would have a separate file per item, so if the text for a given item is not translated, the fallback to the English text works automatically, and missing translations can easily be found.So we'd end up with something like:
This obviously requires quite a number of changes, but in the end the result was quite logical, understandable and maintainable.
What do you think?
@rekado Thank you very much for your work on this. I was wondering if theire are any blockers. If yes please let us know and we would do our best to help with them.
@reinhard is there anything I could do to help with this PR?
Completed in #4258, closing
Pull request closed