accept CVV2 on self-service manual payment screen

diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm
index 0ab1d8a..675ae0b 100644 (file)
--- a/FS/FS/ClientAPI/MyAccount.pm
+++ b/FS/FS/ClientAPI/MyAccount.pm
@@ -326,17 +326,15 @@ sub process_payment {
     return { 'error' => gettext('unknown_card_type') }
       if cardtype($payinfo) eq "Unknown";
 
-    if ( defined $cust_main->dbdef_table->column('paycvv') ) {
-      if ( length($p->{'paycvv'} ) ) {
-        if ( cardtype($payinfo) eq 'American Express card' ) {
-          $p->{'paycvv'} =~ /^(\d{4})$/
-            or return { 'error' => "CVV2 (CID) for American Express cards is four digits." };
-          $paycvv = $1;
-        } else {
-          $p->{'paycvv'} =~ /^(\d{3})$/
-            or return { 'error' => "CVV2 (CVC2/CID) is three digits." };
-          $paycvv = $1;
-        }
+    if ( length($p->{'paycvv'}) && $p->{'paycvv'} !~ /^\s*$/ ) {
+      if ( cardtype($payinfo) eq 'American Express card' ) {
+        $p->{'paycvv'} =~ /^\s*(\d{4})\s*$/
+          or return { 'error' => "CVV2 (CID) for American Express cards is four digits." };
+        $paycvv = $1;
+      } else {
+        $p->{'paycvv'} =~ /^\s*(\d{3})\s*$/
+          or return { 'error' => "CVV2 (CVC2/CID) is three digits." };
+        $paycvv = $1;
       }
     }
   

diff --git a/fs_selfservice/FS-SelfService/cgi/make_payment.html b/fs_selfservice/FS-SelfService/cgi/make_payment.html
index 1bbbe90..64b1e00 100644 (file)
--- a/fs_selfservice/FS-SelfService/cgi/make_payment.html
+++ b/fs_selfservice/FS-SelfService/cgi/make_payment.html
@@ -1,5 +1,18 @@
 <HTML><HEAD><TITLE>MyAccount</TITLE></HEAD>
-<BODY BGCOLOR="#eeeeee"><FONT SIZE=5>MyAccount</FONT><BR><BR>
+<BODY BGCOLOR="#eeeeee">
+<script language="JavaScript"><!--
+  var mywindow = -1;
+  function myopen(filename,windowname,properties) {
+    myclose();
+    mywindow = window.open(filename,windowname,properties);
+  }
+  function myclose() {
+    if ( mywindow != -1 )
+      mywindow.close();
+    mywindow = -1
+  }
+//--></script>
+<FONT SIZE=5>MyAccount</FONT><BR><BR>
 <%= $url = "$selfurl?session=$session_id;action="; ''; %>
 <%= include('myaccount_menu') %>
 <TD VALIGN="top">
@@ -60,6 +73,9 @@
     </TABLE>
   </TD>
 </TR><TR>
+  <TD ALIGN="right">CVV2&nbsp;(<A HREF="javascript:myopen('cvv2.html','cvv2','toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,resizable=yes,copyhistory=no,width=480,height=288')">help</A>)</TD>
+  <TD><INPUT TYPE="text" NAME="paycvv" VALUE="" SIZE=4 MAXLENGTH=4></TD></TR>
+</TR><TR>
   <TD ALIGN="right">Exact&nbsp;name&nbsp;on&nbsp;card</TD>
   <TD><INPUT TYPE="text" SIZE=32 MAXLENGTH=80 NAME="payname" VALUE="<%=$payname%>"></TD>
 </TR><TR>

diff --git a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
index 1fc2e5f..975203d 100644 (file)
--- a/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
+++ b/fs_selfservice/FS-SelfService/cgi/selfservice.cgi
@@ -238,6 +238,10 @@ sub payment_results {
 
   use Business::CreditCard;
 
+  #we should only do basic checking here for DoS attacks and things
+  #that couldn't be constructed by the web form...  let process_payment() do
+  #the rest, it gives better error messages
+
   $cgi->param('amount') =~ /^\s*(\d+(\.\d{2})?)\s*$/
     or die "illegal amount"; #!!!
   my $amount = $1;
@@ -258,6 +262,9 @@ sub payment_results {
       or die "not a ". $cgi->param('card_type');
   }
 
+  $cgi->param('paycvv') =~ /^\s*(.{0,4})\s*$/ or die "illegal CVV2";
+  my $paycvv = $1;
+
   $cgi->param('month') =~ /^(\d{2})$/ or die "illegal month";
   my $month = $1;
   $cgi->param('year') =~ /^(\d{4})$/ or die "illegal year";
@@ -294,6 +301,7 @@ sub payment_results {
     'session_id' => $session_id,
     'amount'     => $amount,
     'payinfo'    => $payinfo,
+    'paycvv'     => $paycvv,
     'month'      => $month,
     'year'       => $year,
     'payname'    => $payname,