close #1 Fixed: Incorrectly Sanitised User Input Hides Offline Payments

cuneytsenturk · cuneytsenturk · commit 9d911f29d82a · 2021-05-01T12:37:23.000+03:00
diff --git a/Http/Requests/Setting.php b/Http/Requests/Setting.php
@@ -25,7 +25,6 @@ public function rules()
     {
         return [
             'name' => 'required|string',
-            'code' => 'required|string',
         ];
     }
 }
diff --git a/Jobs/CreatePaymentMethod.php b/Jobs/CreatePaymentMethod.php
@@ -4,6 +4,7 @@
 
 use App\Abstracts\Job;
 use App\Utilities\Modules;
+use Illuminate\Support\Str;
 
 class CreatePaymentMethod extends Job
 {
@@ -28,8 +29,10 @@ public function handle()
     {
         $methods = json_decode(setting('offline-payments.methods'), true);
 
+        $code = 'offline-payments.' . Str::slug($this->request->get('name'), '_') . '.' . (count($methods) + 1);
+
         $payment_method = [
-            'code' => 'offline-payments.' . $this->request->get('code') . '.' . (count($methods) + 1),
+            'code' => $code,
             'name' => $this->request->get('name'),
             'customer' => $this->request->get('customer'),
             'order' => $this->request->get('order'),
diff --git a/Jobs/DeletePaymentMethod.php b/Jobs/DeletePaymentMethod.php
@@ -62,7 +62,10 @@ public function handle()
     public function authorize()
     {
         if ($relationships = $this->getRelationships()) {
-            $message = trans('messages.warning.deleted', ['name' => $this->request->get('code'), 'text' => implode(', ', $relationships)]);
+            $methods = json_decode(setting('offline-payments.methods'), true);
+            $method = $methods[array_search($this->request->get('code'), array_column($methods, 'code'))];
+
+            $message = trans('messages.warning.deleted', ['name' => $method['name'], 'text' => implode(', ', $relationships)]);
 
             throw new \Exception($message);
         }
diff --git a/Jobs/UpdatePaymentMethod.php b/Jobs/UpdatePaymentMethod.php
@@ -40,7 +40,7 @@ public function handle()
             $method = explode('.', $code);
 
             $payment_method = [
-                'code' => 'offline-payments.' . $this->request->get('code') . '.' . $method[2],
+                'code' => $code,
                 'name' => $this->request->get('name'),
                 'customer' => $this->request->get('customer'),
                 'order' => $this->request->get('order'),
diff --git a/Resources/views/edit.blade.php b/Resources/views/edit.blade.php
@@ -27,8 +27,6 @@
                         <div class="row">
                             {{ Form::textGroup('name', trans('general.name'), 'money-check', ['required' => 'required'], null, 'col-md-12') }}
 
-                            {{ Form::textGroup('code', trans('offline-payments::general.form.code'), 'code', ['required' => 'required'], null, 'col-md-12') }}
-
                             {{ Form::radioGroup('customer', trans('offline-payments::general.form.customer'), 0, trans('general.yes'), trans('general.no'), ['required' => 'required'], 'col-md-12') }}
 
                             {{ Form::textGroup('order', trans('offline-payments::general.form.order'), 'sort', [], null, 'col-md-12') }}
@@ -61,7 +59,7 @@
                         <thead class="thead-light">
                             <tr class="row table-head-line">
                                 <th class="col-xs-6 col-sm-4 col-md-4 col-lg-3">{{ trans('general.name') }}</th>
-                                <th class="col-sm-4  col-md-4 col-lg-4 hidden-sm">{{ trans('offline-payments::general.form.code') }}</th>
+                                <th class="col-sm-4  col-md-4 col-lg-4 hidden-sm">{{ trans('general.description') }}</th>
                                 <th class="col-lg-2 hidden-lg">{{ trans('offline-payments::general.form.order') }}</th>
                                 <th class="col-xs-6 col-sm-4 col-md-4 col-lg-3 text-center">{{ trans('general.actions') }}</th>
                             </tr>
@@ -71,7 +69,7 @@
                                 @foreach($methods as $item)
                                     <tr class="row align-items-center border-top-1" id="method-{{ $item->code }}">
                                         <td class="col-xs-6 col-sm-4 col-md-4 col-lg-3">{{ $item->name }}</td>
-                                        <td class="col-sm-4 col-md-4 col-lg-4 hidden-sm">{{ $item->code }}</td>
+                                        <td class="col-sm-4 col-md-4 col-lg-4 hidden-sm long-texts">{{ ($item->description) ?? trans('general.na') }}</td>
                                         <td class="col-lg-2 hidden-lg">{{ $item->order }}</td>
                                         <td class="col-xs-6 col-sm-4 col-md-4 col-lg-3 text-center">
                                             <div class="dropdown">

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,6 @@ public function rules()`
`25`	`25`	`{`
`26`	`26`	`return [`
`27`	`27`	`'name' => 'required\|string',`
`28`		`- 'code' => 'required\|string',`
`29`	`28`	`];`
`30`	`29`	`}`
`31`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,10 @@ public function handle()`
`62`	`62`	`public function authorize()`
`63`	`63`	`{`
`64`	`64`	`if ($relationships = $this->getRelationships()) {`
`65`		`- $message = trans('messages.warning.deleted', ['name' => $this->request->get('code'), 'text' => implode(', ', $relationships)]);`
	`65`	`+ $methods = json_decode(setting('offline-payments.methods'), true);`
	`66`	`+ $method = $methods[array_search($this->request->get('code'), array_column($methods, 'code'))];`
	`67`	`+`
	`68`	`+ $message = trans('messages.warning.deleted', ['name' => $method['name'], 'text' => implode(', ', $relationships)]);`
`66`	`69`
`67`	`70`	`throw new \Exception($message);`
`68`	`71`	`}`