use unique tokens to prevent double-submission of payments in the web UI

(closes: Bug#320)

5 files changed, 41 insertions, 5 deletions

diff --git a/FS/FS/cust_pay.pm b/FS/FS/cust_pay.pm
index 839571a95..6156eadeb 100644
--- a/FS/FS/cust_pay.pm
+++ b/FS/FS/cust_pay.pm
@@ -136,6 +136,17 @@ sub insert {
     }
   }
 
+  if ( $self->paybatch =~ /^webui-/ ) {
+    my @cust_pay = qsearch('cust_pay', {
+      'custnum' => $self->custnum,
+      'paybatch' => $self->paybatch,
+    } );
+    if ( scalar(@cust_pay) > 1 ) {
+      $dbh->rollback if $oldAutoCommit;
+      return "a payment with webui token ". $self->paybatch. " already exists";
+    }
+  }
+
   $dbh->commit or die $dbh->errstr if $oldAutoCommit;
 
   #false laziness w/ cust_credit::insert
@@ -348,7 +359,7 @@ sub unapplied {
 
 =head1 VERSION
 
-$Id: cust_pay.pm,v 1.16 2002-02-07 22:29:34 ivan Exp $
+$Id: cust_pay.pm,v 1.17 2002-02-10 18:56:49 ivan Exp $
 
 =head1 BUGS
 
diff --git a/README.1.4.0pre9 b/README.1.4.0pre9
new file mode 100644
index 000000000..3ab2b4233
--- /dev/null
+++ b/README.1.4.0pre9
@@ -0,0 +1,19 @@
+the following is necessary to upgrade from 1.4.0pre8 to 1.4.0pre9
+
+if you're upgradeing from before 1.4.0pre8 see README.1.4.0pre8 first!
+
+if you're upgrading from 1.3.1 follow the instructions in
+httemplate/docs/upgrade8.html instead
+
+-----
+
+install the FS perl modules and httemplate as per install.html or upgrade8.html
+
+CREATE INDEX cust_pay2 ON cust_pay ( paynum );
+CREATE INDEX cust_pay3 ON cust_pay ( custnum );
+CREATE INDEX cust_pay4 ON cust_pay ( paybatch );
+
+Run bin/dbdef-create
+
+Restart Apache and freeside-queued
+
diff --git a/bin/fs-setup b/bin/fs-setup
index 07c9709a1..5f8059425 100755
--- a/bin/fs-setup
+++ b/bin/fs-setup
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -Tw
 #
-# $Id: fs-setup,v 1.75 2002-02-06 15:07:49 ivan Exp $
+# $Id: fs-setup,v 1.76 2002-02-10 18:56:49 ivan Exp $
 
 #to delay loading dbdef until we're ready
 BEGIN { $FS::Record::setup_hack = 1; }
@@ -500,7 +500,7 @@ sub tables_hash_hack {
       ],
       'primary_key' => 'billpaynum',
       'unique' => [ [] ],
-      'index' => [ [ 'paynum', 'invnum' ] ],
+      'index' => [ [ 'paynum' ], [ 'custnum' ], [ 'paybatch' ] ],
     },
 
     'cust_pay_batch' => { #what's this used for again?  list of customers
diff --git a/httemplate/docs/upgrade8.html b/httemplate/docs/upgrade8.html
index b243eba75..2c7008a6c 100644
--- a/httemplate/docs/upgrade8.html
+++ b/httemplate/docs/upgrade8.html
@@ -192,6 +192,9 @@ CREATE INDEX cust_credit_refund1 ON cust_credit_refund ( crednum );
 CREATE INDEX cust_credit_refund2 ON cust_credit_refund ( refundnum );
 CREATE UNIQUE INDEX cust_pay_batch_pkey ON cust_pay_batch ( paybatchnum );
 CREATE UNIQUE INDEX part_svc_column1 ON part_svc_column ( svcpart, columnname );
+CREATE INDEX cust_pay2 ON cust_pay ( paynum );
+CREATE INDEX cust_pay3 ON cust_pay ( custnum );
+CREATE INDEX cust_pay4 ON cust_pay ( paybatch );
 </pre>
 
   <li>If you are using PostgreSQL, apply the following changes to your database:
diff --git a/httemplate/edit/cust_pay.cgi b/httemplate/edit/cust_pay.cgi
index 27d36eb54..f6ae7b299 100755
--- a/httemplate/edit/cust_pay.cgi
+++ b/httemplate/edit/cust_pay.cgi
@@ -32,6 +32,8 @@ if ( $cgi->param('error') ) {
 }
 my $_date = time;
 
+my $paybatch = "webui-$_date-$$-". rand() * 2**32;
+
 my $p1 = popurl(1);
 print header("Post payment", '');
 
@@ -111,11 +113,12 @@ print qq!<TR><TD ALIGN="right">Check #</TD><TD BGCOLOR="#ffffff"><INPUT TYPE="te
 
 print qq!<TR><TD ALIGN="right">Auto-apply<BR>to invoices</TD><TD><SELECT NAME="apply"><OPTION VALUE="yes" SELECTED>yes<OPTION>no</SELECT></TD>!;
 
+print "</TABLE>";
+
 #paybatch
-print qq!<INPUT TYPE="hidden" NAME="paybatch" VALUE="">!;
+print qq!<INPUT TYPE="hidden" NAME="paybatch" VALUE="$paybatch">!;
 
 print <<END;
-</TABLE>
 <BR>
 <INPUT TYPE="submit" VALUE="Post payment">
     </FORM>