This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * Finance module for HiPanel |
||
4 | * |
||
5 | * @link https://github.com/hiqdev/hipanel-module-finance |
||
6 | * @package hipanel-module-finance |
||
7 | * @license BSD-3-Clause |
||
8 | * @copyright Copyright (c) 2015-2019, HiQDev (http://hiqdev.com/) |
||
9 | */ |
||
10 | |||
11 | namespace hipanel\modules\finance\controllers; |
||
12 | |||
13 | use hipanel\modules\finance\models\Merchant; |
||
14 | use hiqdev\hiart\ResponseErrorException; |
||
15 | use hiqdev\yii2\merchant\actions\RequestAction; |
||
16 | use hiqdev\yii2\merchant\events\TransactionInsertEvent; |
||
17 | use hiqdev\yii2\merchant\transactions\Transaction; |
||
18 | use function is_array; |
||
19 | use Yii; |
||
20 | use yii\base\InvalidParamException; |
||
21 | use yii\helpers\Json; |
||
22 | |||
23 | /** |
||
24 | * Class PayController. |
||
25 | * |
||
26 | * @property \hipanel\modules\finance\Module $module |
||
27 | */ |
||
28 | class PayController extends \hiqdev\yii2\merchant\controllers\PayController |
||
29 | { |
||
30 | const SESSION_MERCHANT_LATEST_TRANSACTION_ID = 'MERCHANT_LATEST_TRANSACTION_ID'; |
||
31 | 1 | ||
32 | public function actions() |
||
33 | 1 | { |
|
34 | 1 | return array_merge(parent::actions(), [ |
|
35 | 'request' => [ |
||
36 | 'class' => RequestAction::class, |
||
37 | 'on ' . RequestAction::EVENT_AFTER_TRANSACTION_INSERT => function (TransactionInsertEvent $event) { |
||
38 | if ($event->transaction instanceof Transaction) { |
||
39 | Yii::$app->session->set(self::SESSION_MERCHANT_LATEST_TRANSACTION_ID, $event->transaction->getId()); |
||
40 | 1 | } |
|
41 | }, |
||
42 | ], |
||
43 | ]); |
||
44 | } |
||
45 | |||
46 | public function getMerchantModule() |
||
47 | { |
||
48 | return $this->module->getMerchant(); |
||
49 | } |
||
50 | |||
51 | public function render($view, $params = []) |
||
52 | { |
||
53 | return $this->getMerchantModule()->getPayController()->render($view, $params); |
||
54 | } |
||
55 | |||
56 | public function checkNotify(string $transactionId = null): ?Transaction |
||
57 | { |
||
58 | $transactionIdSources = [ |
||
59 | $transactionId, |
||
60 | Yii::$app->request->get('transactionId'), |
||
61 | Yii::$app->request->post('transactionId'), |
||
62 | Yii::$app->session->get(self::SESSION_MERCHANT_LATEST_TRANSACTION_ID), |
||
63 | Yii::$app->request->get('orderId'), |
||
64 | Yii::$app->request->post('orderId'), |
||
65 | ]; |
||
66 | |||
67 | foreach (array_filter($transactionIdSources) as $possibleTransactionId) { |
||
68 | $transaction = $this->getMerchantModule()->findTransaction($possibleTransactionId); |
||
69 | if ($transaction !== null) { |
||
70 | break; |
||
71 | } |
||
72 | } |
||
73 | |||
74 | if (!isset($transaction)) { |
||
75 | return null; |
||
76 | } |
||
77 | |||
78 | $data = array_merge([ |
||
79 | 'merchant' => $transaction->getMerchant(), |
||
80 | 'username' => $transaction->getParameter('username'), |
||
81 | ], $_REQUEST); |
||
82 | Yii::info(http_build_query($data), 'merchant'); |
||
83 | |||
84 | if (($input = file_get_contents('php://input')) !== null) { |
||
85 | try { |
||
86 | $data['rawBody'] = Json::decode($input); |
||
87 | } catch (InvalidParamException $e) { |
||
0 ignored issues
–
show
Coding Style
Comprehensibility
introduced
by
Loading history...
|
|||
88 | } |
||
89 | } |
||
90 | |||
91 | try { |
||
92 | return Yii::$app->get('hiart')->callWithDisabledAuth(function () use ($transaction, $data) { |
||
93 | $result = Merchant::perform('pay-transaction', $data); |
||
94 | $this->completeTransaction($transaction, $result); |
||
95 | |||
96 | return $transaction; |
||
97 | }); |
||
98 | } catch (ResponseErrorException $e) { |
||
99 | } // Does not matter, let's try the old way then. |
||
100 | |||
101 | try { |
||
102 | return Yii::$app->get('hiart')->callWithDisabledAuth(function () use ($transaction, $data) { |
||
103 | $result = Merchant::perform('pay', $data); |
||
104 | $this->completeTransaction($transaction, $result); |
||
105 | |||
106 | return $transaction; |
||
107 | }); |
||
108 | } catch (ResponseErrorException $e) { |
||
109 | } // Still no luck? Then it's not the right request. |
||
110 | |||
111 | |||
112 | return $transaction; |
||
113 | } |
||
114 | |||
115 | public function actionProxyNotification() |
||
116 | { |
||
117 | // Currently used at least for FreeKassa integration |
||
118 | $data = array_merge(Yii::$app->request->get(), Yii::$app->request->post()); |
||
119 | |||
120 | $result = Yii::$app->get('hiart')->callWithDisabledAuth(function () use ($data) { |
||
121 | return Merchant::perform('pay-transaction', $data); |
||
122 | }); |
||
123 | |||
124 | $this->layout = false; |
||
125 | |||
126 | return $result; |
||
127 | } |
||
128 | |||
129 | /** |
||
130 | * @param Transaction $transaction |
||
131 | * @param string|array $response |
||
132 | * @return Transaction |
||
133 | * @throws \yii\base\ExitException |
||
134 | */ |
||
135 | protected function completeTransaction($transaction, $response) |
||
136 | { |
||
137 | if ($transaction->isCompleted() || isset($response['_error'])) { |
||
138 | return $transaction; |
||
139 | } |
||
140 | |||
141 | if ($response === '"OK"') { |
||
142 | echo $response; |
||
143 | Yii::$app->end(); |
||
144 | } |
||
145 | |||
146 | if (!is_array($response)) { |
||
147 | return $transaction; |
||
148 | } |
||
149 | |||
150 | $transaction->complete(); |
||
151 | $transaction->addParameter('bill_id', $response['id']); |
||
152 | |||
153 | $this->getMerchantModule()->saveTransaction($transaction); |
||
154 | |||
155 | return $transaction; |
||
156 | } |
||
157 | } |
||
158 |