[freeside-devel] Re: Commissions template
Jason Spence
thalakan at technologist.com
Thu Aug 24 11:12:02 PDT 2000
On Thu, Aug 24, 2000 at 12:55:53AM -0700, ivan screamed
'ROTTEN PURPLE BANANAS!!!' and:
> I had expected the agent tables to be more useful for commision-tracking
> than the otaker field. Very interesting. Perhaps in your situation you'd
> want the Agent to be setup automatically based on the otaker, rather than
> selectable in the web interface.
Yes, exactly. We have sales agents log in once when their sales kiosk is
booted, and then they have no way to masquerade as another sales agent. I
can't see why they would want to, because they they'd be handling someone else
the commission, but I don't trust them to not do that by accident.
> A couple security problems pointed out below; otherwise looks fine.
> $cgi->param('otaker') came from the user[1] so it shouldn't be trusted
> until it's been untainted - checked to make sure it contains on the data
> we expect it should.
>
> Try something like this:
>
> $cgi->param('otaker') =~ /^(\w+)$/
> or do_some_error_fu("Invalid otaker");
> my $otaker = $1;
>
> Then use $otaker below instead of $cgi->param('otaker');
>
> Take a look at the stuff in htdocs/search/ for more examples of untainting
> user input in this context.
Oh yeah, duh. *slap* I knew that.
Actually, we probably need to add a table containing a list of all the users
in mapsecrets, and then some glue to export the mapsecrets file. This way, we
can enumerate the agents for a commission report that will allow the
accountants to select a sales agent to generate a commission report for,
instead of having to remember their otaker username. I don't know if you want
to move the main branch of Freeside in that direction, though...
So maybe something like
use FS::otakers;
...
if(! $cgi->param('otaker') =~ /^(\w+)$/) {
do_some_error_fu();
}
if(! qsearch('otakers', {otaker => $cgi->param('otaker')})) {
do_some_error_fu("Sales agent not found in database. Add him/her.");
}
> > print "Commission schedule for agent: " . $cgi->param('otaker');
> > print $cgi->hr;
> > print $cgi->br;
> > print $cgi->br;
> > @customers = qsearch('cust_main', {'otaker' => $cgi->param('otaker')});
> > $i = 0;
> > for $customer (@customers) {
> > print "Customer ID: " . $customer->getfield('custnum');
> > print ": ";
> > print $customer->getfield('first');
> > print " ";
> > print $customer->getfield('last');
> > print $cgi->br();
> > $i++;
> > }
> >
> > print $cgi->br();
> > print "Total customers: $i";
> > }
> >
> > </snip>
>
> [1] (and, perhaps even unknowingly; it's trivial to construct a link which
> contains form parameters)
Have you been reading ASR, ivan? :)
- Jason
More information about the freeside-devel
mailing list