RATESWSX-270: debit/credit: add input validation

ratepay · Nov 10, 2023 · b74cce9 · b74cce9
1 parent e749bb7
commit b74cce9
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 15 deletions.
diff --git a/src/Components/OrderManagement/Controller/ProductPanel.php b/src/Components/OrderManagement/Controller/ProductPanel.php
@@ -30,10 +30,16 @@
 use Shopware\Core\Framework\DataAbstractionLayer\EntityRepository;
 use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
 use Shopware\Core\Framework\Routing\Exception\InvalidRequestParameterException;
+use Shopware\Core\Framework\Validation\DataValidationDefinition;
+use Shopware\Core\Framework\Validation\DataValidator;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Validator\Constraints\AtLeastOneOf;
+use Symfony\Component\Validator\Constraints\GreaterThan;
+use Symfony\Component\Validator\Constraints\LessThan;
+use Symfony\Component\Validator\Constraints\NotBlank;
 
 /**
  * @Route("/api/ratepay/order-management", defaults={"_routeScope"={"administration"}})
@@ -51,13 +57,16 @@ class ProductPanel extends AbstractController
 
     private LineItemFactory $lineItemFactory;
 
+    private DataValidator $dataValidator;
+
     public function __construct(
         EntityRepository $orderRepository,
         PaymentDeliverService $paymentDeliverService,
         PaymentReturnService $paymentReturnService,
         PaymentCancelService $paymentCancelService,
         PaymentCreditService $creditService,
-        LineItemFactory $lineItemFactory
+        LineItemFactory $lineItemFactory,
+        DataValidator $dataValidator
     ) {
         $this->orderRepository = $orderRepository;
         $this->creditService = $creditService;
@@ -68,6 +77,7 @@ public function __construct(
             OrderOperationData::OPERATION_RETURN => $paymentReturnService,
         ];
         $this->lineItemFactory = $lineItemFactory;
+        $this->dataValidator = $dataValidator;
     }
 
     /**
@@ -152,20 +162,27 @@ public function return(string $orderId, Request $request, Context $context): Jso
      */
     public function addItem(string $orderId, Request $request, Context $context): JsonResponse
     {
-        $name = (string) $request->request->get('name');
-        $grossAmount = (float) (string) $request->request->get('grossAmount');
-        $taxRuleId = (string) $request->request->get('taxId');
-
         $order = $this->fetchOrder($context, $orderId);
 
         if (!$order instanceof OrderEntity) {
-            return $this->json([
-                'success' => false,
-                'message' => 'Order was not found',
-            ], 200);
+            throw $this->createNotFoundException('Order was not found');
         }
 
-        $lineItem = $this->lineItemFactory->createLineItem($order, $name, $grossAmount, $taxRuleId, $context);
+        // validate provided data
+        $definition = new DataValidationDefinition();
+        $definition->add('name', new NotBlank());
+        $definition->add('grossAmount', new NotBlank(), new AtLeastOneOf([new GreaterThan(0), new LessThan(0)]));
+        $definition->add('taxId', new NotBlank());
+
+        $this->dataValidator->validate($request->request->all(), $definition);
+
+        $lineItem = $this->lineItemFactory->createLineItem(
+            $order,
+            $request->request->get('name'),
+            $request->request->get('grossAmount'),
+            $request->request->get('taxId'),
+            $context
+        );
         $response = $this->creditService->doRequest(new AddCreditData($context, $order, [$lineItem]));
         if ($response->getResponse()->isSuccessful()) {
             return $this->json([

diff --git a/...ources/app/administration/src/module/sw-order/component/ratepay-order-management/index.js b/...ources/app/administration/src/module/sw-order/component/ratepay-order-management/index.js
@@ -338,7 +338,7 @@ Component.register('ratepay-order-management', {
                             message = this.$tc('ratepay.errors.' + error.code)
                         }
                         this.createNotificationError({
-                            title: this.$tc('ratepay.orderManagement.messages.failedTitle'),
+                            title: error.title ?? this.$tc('ratepay.orderManagement.messages.failedTitle'),
                             message: message
                         });
                     });

diff --git a/...src/module/sw-order/component/ratepay-order-management/ratepay-order-management.html.twig b/...src/module/sw-order/component/ratepay-order-management/ratepay-order-management.html.twig
@@ -137,7 +137,7 @@
             <sw-text-field :value="addDebit.data.name" v-model="addDebit.data.name"></sw-text-field>
             <label v-if="order.taxStatus == 'net'">{{ $t('ratepay.orderManagement.modal.addDebit.label.amountNet') }}</label>
             <label v-if="order.taxStatus == 'gross'">{{ $t('ratepay.orderManagement.modal.addDebit.label.amountGross') }}</label>
-            <sw-number-field class="rp-price-field" v-model="addDebit.data.amount"></sw-number-field>
+            <sw-number-field class="rp-price-field" v-model="addDebit.data.amount" min="0.01" allowEmpty="false"></sw-number-field>
             <label>{{ $t('ratepay.orderManagement.modal.addDebit.label.tax') }}</label>
             <sw-field type="select"
                       name="sw-field--product-taxId"
@@ -169,10 +169,10 @@
               @modal-close="onCloseCreditModal">
         <template>
             <label>{{ $t('ratepay.orderManagement.modal.addCredit.label.name') }}</label>
-            <sw-text-field :value="addCredit.data.name" v-model="addCredit.data.name"/>
+            <sw-text-field :value="addCredit.data.name" v-model="addCredit.data.name"></sw-text-field>
             <label v-if="order.taxStatus == 'net'">{{ $t('ratepay.orderManagement.modal.addCredit.label.amountNet') }}</label>
             <label v-if="order.taxStatus == 'gross'">{{ $t('ratepay.orderManagement.modal.addCredit.label.amountGross') }}</label>
-            <sw-number-field class="rp-price-field" v-model="addCredit.data.amount"/>
+            <sw-number-field class="rp-price-field" v-model="addCredit.data.amount" min="0.01" allowEmpty="false"></sw-number-field>
             <label>{{ $t('ratepay.orderManagement.modal.addCredit.label.tax') }}</label>
             <sw-field type="select"
                       name="sw-field--product-taxId"

diff --git a/src/Resources/public/administration/js/rpay-payments.js b/src/Resources/public/administration/js/rpay-payments.js