order: Look up prices on the server, not in the POST request. #2750

Open
rekado wants to merge 2 commits from rekado/fsfe-website:catalogue into master
5 changed files with 32 additions and 22 deletions

1
.gitignore vendored
View File

@ -9,6 +9,7 @@ news/????/index.xsl
news/*/.*.??.xml
global/data/texts/.texts.??.xml
global/data/topbanner/.topbanner.??.xml
order/catalogue.xml
.default.xsl
.localmenu.*.xml
.*.xmllist

View File

@ -155,3 +155,6 @@ localmenus: $(SUBDIRS)
all: xmllists
xmllists: $(SUBDIRS)
tools/update_xmllists.sh
order/catalogue.xml: order/catalogue.xsl $(wildcard order/*/item*.xml)
(echo -e "<?xml version=\"1.0\"?>\n<catalogue>"; xsltproc $^; echo "</catalogue>") > $@

View File

@ -23,6 +23,7 @@ use Encode qw(decode encode);
use POSIX qw(strftime);
use Digest::SHA qw(sha1_hex);
use MIME::Lite;
use XML::LibXML;
use utf8;
# -----------------------------------------------------------------------------
@ -56,7 +57,7 @@ if ($country_code eq 'DE') {
$shipping = 8;
}
# Remove all parameters except for items and prices.
# Remove all parameters except for items.
$query->delete("url", "name", "address", "zip", "city", "country", "email", "phone", "language");
my $lang = substr $language, 0, 2;
@ -83,13 +84,16 @@ if (!$email) {
exit;
}
my $catalogue_file = $ENV{"DOCUMENT_ROOT"} . "/order/catalogue.xml";
my $catalogue = XML::LibXML->load_xml(location => $catalogue_file);
my $count = 0;
my $amount = 0;
foreach $item ($query->param) {
$value = $query->param($item);
if (not $item =~ /^_/ and $value) {
my $price = $query->param("_$item");
if ($value) {
my $price = $catalogue->findvalue("/catalogue/item[\@id=\"$item\"]/\@price");
$count += 1;
$amount += $value * $price;
}
@ -131,8 +135,8 @@ my $body = "$name\n$address\n$zip $city\n$country_name\nPhone: $phone\n\n";
foreach $item ($query->param) {
$value = $query->param($item);
if (not $item =~ /^_/ and $value) {
my $price = $query->param("_$item");
if ($value) {
my $price = $catalogue->findvalue("/catalogue/item[\@id=\"$item\"]/\@price");
$body .= sprintf "%-30s %3u x %5.2f = %6.2f\n", $item, $value, $price, $value * $price;
}
}
@ -165,8 +169,8 @@ push @odtfill, "ZipCity=" . $zip . " " . $city;
push @odtfill, "Country=" . $country_name;
foreach $item ($query->param) {
$value = $query->param($item);
if (not $item =~ /^_/ and $value) {
my $price = $query->param("_$item");
if ($value) {
my $price = $catalogue->findvalue("/catalogue/item[\@id=\"$item\"]/\@price");
push @odtfill, "Count=" . $value;
push @odtfill, "Item=" . $item;
push @odtfill, "Amount=" . sprintf "%.2f", $value * $price;

17
order/catalogue.xsl Normal file
View File

@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" indent="yes" omit-xml-declaration="yes" />
<xsl:template match="/itemset">
<xsl:for-each select="item">
<xsl:variable name="prefix"><xsl:value-of select="@id"/></xsl:variable>
<xsl:variable name="price"><xsl:value-of select="@price"/></xsl:variable>
<xsl:for-each select="available">
<xsl:element name="item">
<xsl:attribute name="id"><xsl:value-of select="$prefix"/><xsl:text>_</xsl:text><xsl:value-of select="@size"/></xsl:attribute>
<xsl:attribute name="price"><xsl:value-of select="$price"/></xsl:attribute>
</xsl:element>
</xsl:for-each>
</xsl:for-each>
</xsl:template>
</xsl:stylesheet>

View File

@ -127,21 +127,6 @@
<xsl:value-of select="@size"/>
</xsl:attribute>
</xsl:element>
<!-- Hidden input to pass price into CGI script -->
<xsl:element name="input">
<xsl:attribute name="type">hidden</xsl:attribute>
<xsl:attribute name="name">
<xsl:text>_</xsl:text>
<xsl:value-of select="$id"/>
<xsl:text>_</xsl:text>
<xsl:value-of select="@size"/>
</xsl:attribute>
<xsl:attribute name="value">
<xsl:value-of select="$price"/>
</xsl:attribute>
</xsl:element>
</xsl:element>
</xsl:for-each>
</xsl:element>