mirror of https://github.com/zulip/zulip.git
billing: Verify that plan names are not tampered.
This commit is contained in:
parent
82fc82b7e2
commit
15eff517f4
|
@ -218,6 +218,18 @@ class StripeTest(ZulipTestCase):
|
||||||
})
|
})
|
||||||
self.assert_in_success_response(["Something went wrong. Please contact"], result)
|
self.assert_in_success_response(["Something went wrong. Please contact"], result)
|
||||||
|
|
||||||
|
@mock.patch("zilencer.lib.stripe.STRIPE_PUBLISHABLE_KEY", "stripe_publishable_key")
|
||||||
|
@mock.patch("zilencer.views.STRIPE_PUBLISHABLE_KEY", "stripe_publishable_key")
|
||||||
|
def test_upgrade_with_tampered_plan(self) -> None:
|
||||||
|
self.login(self.user.email)
|
||||||
|
result = self.client_post("/upgrade/", {
|
||||||
|
'stripeToken': self.token,
|
||||||
|
'signed_seat_count': self.signed_seat_count,
|
||||||
|
'salt': self.salt,
|
||||||
|
'plan': "invalid"
|
||||||
|
})
|
||||||
|
self.assert_in_success_response(["Something went wrong. Please contact"], result)
|
||||||
|
|
||||||
@mock.patch("zilencer.lib.stripe.STRIPE_PUBLISHABLE_KEY", "stripe_publishable_key")
|
@mock.patch("zilencer.lib.stripe.STRIPE_PUBLISHABLE_KEY", "stripe_publishable_key")
|
||||||
@mock.patch("zilencer.views.STRIPE_PUBLISHABLE_KEY", "stripe_publishable_key")
|
@mock.patch("zilencer.views.STRIPE_PUBLISHABLE_KEY", "stripe_publishable_key")
|
||||||
@mock.patch("stripe.Customer.retrieve", side_effect=mock_retrieve_customer)
|
@mock.patch("stripe.Customer.retrieve", side_effect=mock_retrieve_customer)
|
||||||
|
|
|
@ -168,6 +168,11 @@ def initial_upgrade(request: HttpRequest) -> HttpResponse:
|
||||||
return HttpResponseRedirect(reverse('zilencer.views.billing_home'))
|
return HttpResponseRedirect(reverse('zilencer.views.billing_home'))
|
||||||
|
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
|
plan = request.POST['plan']
|
||||||
|
if plan not in [Plan.CLOUD_ANNUAL, Plan.CLOUD_MONTHLY]:
|
||||||
|
billing_logger.warning("Tampered plan during realm upgrade. user: %s, realm: %s (%s)."
|
||||||
|
% (user.id, user.realm.id, user.realm.string_id))
|
||||||
|
error_message = "Something went wrong. Please contact support@zulipchat.com"
|
||||||
try:
|
try:
|
||||||
seat_count = int(unsign_string(request.POST['signed_seat_count'], request.POST['salt']))
|
seat_count = int(unsign_string(request.POST['signed_seat_count'], request.POST['salt']))
|
||||||
except signing.BadSignature:
|
except signing.BadSignature:
|
||||||
|
@ -179,7 +184,7 @@ def initial_upgrade(request: HttpRequest) -> HttpResponse:
|
||||||
stripe_customer = do_create_customer_with_payment_source(user, request.POST['stripeToken'])
|
stripe_customer = do_create_customer_with_payment_source(user, request.POST['stripeToken'])
|
||||||
do_subscribe_customer_to_plan(
|
do_subscribe_customer_to_plan(
|
||||||
stripe_customer=stripe_customer,
|
stripe_customer=stripe_customer,
|
||||||
stripe_plan_id=Plan.objects.get(nickname=request.POST['plan']).stripe_plan_id,
|
stripe_plan_id=Plan.objects.get(nickname=plan).stripe_plan_id,
|
||||||
seat_count=seat_count,
|
seat_count=seat_count,
|
||||||
# TODO: billing address details are passed to us in the request;
|
# TODO: billing address details are passed to us in the request;
|
||||||
# use that to calculate taxes.
|
# use that to calculate taxes.
|
||||||
|
|
Loading…
Reference in New Issue