order: Look up prices on the server, not in the POST request. #2750

Closed

rekado wants to merge 2 commits from rekado/fsfe-website:catalogue into master

pull from: rekado/fsfe-website:catalogue

merge into: FSFE:master

FSFE:master

FSFE:feat/landing-ada

FSFE:20260615-EUtech

FSFE:20260612-podcast

FSFE:fix/events-folder

FSFE:timeline-proposal-bonnie

FSFE:translate/timelineES

FSFE:20260608-newsletter

FSFE:feat/lxml-ft

FSFE:feat/alpine

FSFE:fix/restore-timeline

FSFE:dario-patch-1

FSFE:feat/langs

FSFE:test

FSFE:wiki-links

FSFE:20260226-press

FSFE:refactor-booth-application

FSFE:news-20250922-dma

FSFE:followup-default-mail

FSFE:feature/peertube-for-upcycle-android

Conversation 7 Commits 2 Files Changed 5

+32 -22

rekado commented 2022-08-22 16:10:54 +00:00

First-time contributor

Copy Link

Copy Source

The web shop form currently submits not only the amount of selected items to cgi-bin/weborder.pl in a POST request, but also submits the price. weborder.pl trusts these prices and uses them to compute the total.

These two commits change this by generating a catalogue.xml containing the prices of all items. weborder.pl then looks up prices in that server-side file instead of accepting arbitrary prices in the user-supplied POST request, thereby guaranteeing that the prices have not been tampered with.

The web shop form currently submits not only the amount of selected items to `cgi-bin/weborder.pl` in a POST request, but also submits the *price*. `weborder.pl` trusts these prices and uses them to compute the total. These two commits change this by generating a catalogue.xml containing the prices of all items. weborder.pl then looks up prices in that server-side file instead of accepting arbitrary prices in the user-supplied POST request, thereby guaranteeing that the prices have not been tampered with.

rekado added 2 commits 2022-08-22 16:10:55 +00:00

order: Generate catalogue of items and prices. 3e9d56071e

weborder: Read prices from catalogue, not from the HTTP request. ... 975dd6a835

* cgi-bin/weborder.pl: Parse order/catalogue.xml to look up prices for
item id.
* order/order.xsl: Do not generate hidden form input for price.

rekado commented 2022-08-22 16:12:15 +00:00

Author

First-time contributor

Copy Link

Copy Source

One more thing of note: catalogue.xml does not require any translations as it is not intended for presentation on the website. It could just as well be replaced with a database, but I wanted to keep the number of changes to a minimum.

One more thing of note: catalogue.xml does not require any translations as it is not intended for presentation on the website. It could just as well be replaced with a database, but I wanted to keep the number of changes to a minimum.

max.mehl requested review from reinhard 2022-08-23 14:37:36 +00:00

reinhard commented 2022-08-28 15:45:22 +00:00

Member

Copy Link

Copy Source

The change looks good to me.

We could consider merging all the item.en.xml into a single file (the contents are not translated so we don't gain anything from having separate files per year), which AFAIU save us the additional step of creating the catalogue.xml file and make things much more straightforward and understandable.

The change looks good to me. We could consider merging all the item.en.xml into a single file (the contents are not translated so we don't gain anything from having separate files per year), which AFAIU save us the additional step of creating the `catalogue.xml` file and make things much more straightforward and understandable.

reinhard declined to review 2022-08-28 15:45:32 +00:00

rekado commented 2022-08-28 21:06:11 +00:00

Author

First-time contributor

Copy Link

Copy Source

I'm glad you suggest merging all the item files! I was taken aback by the complexity of processing the items when I considered implementing changes to the order form.
Having all items in the same XML file would simplify processing and unlock further improvements.

While we're at it, could we also merge all the info.*.xml files (one per language)? Or is there a reason why the year must be encoded in the directory name instead of, say, an XML attribute?

I'm glad you suggest merging all the item files! I was taken aback by the complexity of processing the items when I considered implementing changes to the order form. Having all items in the same XML file would simplify processing and unlock further improvements. While we're at it, could we also merge all the `info.*.xml` files (one per language)? Or is there a reason why the year must be encoded in the directory name instead of, say, an XML attribute?

reinhard commented 2022-08-28 21:53:15 +00:00

Member

Copy Link

Copy Source

The info.*.xml files are a different topic, since they are translated: ideally there we would have a separate file per item, so if the text for a given item is not translated, the fallback to the English text works automatically, and missing translations can easily be found.

So we'd end up with something like:

order/data/items.en.xml
order/data/info/pin-gnu-silver.de.xml
order/data/info/pin-gnu-silver.en.xml
order/data/info/pin-gnu-silver.nl.xml
order/data/info/pin-plussy-green.de.xml
order/data/info/pin-plussy-green.en.xml
order/data/info/pin-plussy-green.nl.xml
order/pictures/pin-gnu-silver-large.jpg
order/pictures/pin-gnu-silver-small.jpg
order/pictures/pin-plussy-green-large.jpg
order/pictures/pin-plussy-green-small.jpg

This obviously requires quite a number of changes, but in the end the result was quite logical, understandable and maintainable.

What do you think?

The `info.*.xml` files are a different topic, since they are translated: ideally there we would have a separate file per item, so if the text for a given item is not translated, the fallback to the English text works automatically, and missing translations can easily be found. So we'd end up with something like: ``` order/data/items.en.xml order/data/info/pin-gnu-silver.de.xml order/data/info/pin-gnu-silver.en.xml order/data/info/pin-gnu-silver.nl.xml order/data/info/pin-plussy-green.de.xml order/data/info/pin-plussy-green.en.xml order/data/info/pin-plussy-green.nl.xml order/pictures/pin-gnu-silver-large.jpg order/pictures/pin-gnu-silver-small.jpg order/pictures/pin-plussy-green-large.jpg order/pictures/pin-plussy-green-small.jpg ``` This obviously requires quite a number of changes, but in the end the result was quite logical, understandable and maintainable. What do you think?

bonnie commented 2022-10-12 13:22:36 +00:00

Member

Copy Link

Copy Source

@rekado Thank you very much for your work on this. I was wondering if theire are any blockers. If yes please let us know and we would do our best to help with them.

@rekado Thank you very much for your work on this. I was wondering if theire are any blockers. If yes please let us know and we would do our best to help with them.

bonnie commented 2023-08-30 13:50:55 +00:00

Member

Copy Link

Copy Source

@reinhard is there anything I could do to help with this PR?

@reinhard is there anything I could do to help with this PR?

delliott referenced this pull request 2024-06-21 07:48:34 +00:00

WIP: ordering-improvements #4257

delliott referenced this pull request 2024-06-24 15:25:02 +00:00

Ordering Improvements #4258

delliott referenced this issue from a commit 2024-06-25 09:52:56 +00:00

Change item layout to that specified by reinhard in PR #2750

delliott referenced this issue from a commit 2024-06-25 13:20:11 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-25 13:22:04 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-25 15:46:30 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-26 10:46:40 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-26 13:03:54 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-26 13:19:56 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-26 13:21:07 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-26 13:42:06 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-26 15:48:14 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-27 09:03:23 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-27 13:21:10 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-27 13:32:38 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-27 15:18:59 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-28 07:38:27 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-28 07:43:21 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-28 08:34:34 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-28 08:40:39 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-28 08:50:31 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-06-28 13:10:29 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-07-08 07:36:07 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-07-08 14:14:24 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-07-09 08:19:37 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-07-09 15:06:38 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-07-11 12:29:32 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-07-11 13:52:30 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott referenced this issue from a commit 2024-07-12 08:22:55 +00:00

Change item layout to that specified by reinhard in PR #2750, and update order script to match

delliott commented 2024-07-16 13:59:58 +00:00

Member

Copy Link

Copy Source

Completed in #4258, closing

Completed in https://git.fsfe.org/FSFE/fsfe-website/pulls/4258, closing

delliott closed this pull request 2024-07-16 13:59:59 +00:00

All checks were successful

Hide all checks

continuous-integration/drone/pr Build is passing

Required

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

build

cgi Scripting

design

disruptive

Requires careful coordination and documentation changes

documentation

duplicate

easy

enhancement

Improving what is already there

feature-request

help wanted

javascript

priority/low

question

system-hackers

tagging

text

translations

wait/bugfix

wait/inprogress

wait/misc

wait/proofread

wontfix

xsl

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

albert (Albert Dengg) alex.busch (alex.busch) alex.sander (alex.sander) anaghz (anaghz) annarita.russo (annarita.russo) ao (André Ockers) bcludts (bcludts) bonnie (bonnie) ciampix (Marco Ciampa) cryptie (cryptie) dario (dario) delliott (delliott) dfajfer (Damian Fajfer) dmaphy (Dominic Hopf) doczkal (Thomas Doczkal) eal (eal) egnun (Erik Grun) eventregbot (eventregbot) fi (fi) floriansnow (Florian Snow) gabriel.ku (gabriel.ku) guido (guido) hf (hf) hugo (hugo) ineiev (ineiev) jithendra (jithendra) jn (jn) jzarl (jzarl) linus (Linus Sehn) lucabon (Luca Bonissi) lucas.lasota (lucas.lasota) max.mehl (Max Mehl) mk (Matthias Kirschner) monochromec (monochromec) mweimann (Michael Weimann) nico.rikken (nico.rikken) patrick (Patrick Ohnewein) reinhard (Reinhard Müller) renovate-bot (Renovate Bot) repentinus (Heiki Lõhmus) schiessle (Björn Schießle) silviarbgl (Silvia Rbgl) sofiaritz (Sofía Aritz) tobiasd (tobiasd) vincent (vincent)

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: FSFE/fsfe-website#2750

Allow edits from maintainers